Lucene search
K

16 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:15 p.m.13 views

CVE-2026-46408

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cartid and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another...

7.6CVSS5.5AI score0.002EPSS
Exploits0References1
NVD
NVD
added 2026/05/15 7:17 p.m.45 views

CVE-2026-46408

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cartid and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another...

7.6CVSS0.002EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/15 6:46 p.m.28 views

EUVD-2026-30584

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cartid and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another...

7.6CVSS5.8AI score0.002EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 6:46 p.m.57 views

CVE-2026-46408 Vvveb: checkout IDOR allows unauthorized reuse of another user's cart

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cartid and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another...

7.6CVSS0.002EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.18 views

PT-2026-41371

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse anothe...

7.6CVSS5.8AI score0.002EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/11 12:12 a.m.4 views

EUVD-2026-10915

Sylius is Missing Authorization in API v2 Add Item Endpoint...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/11 12:12 a.m.4 views

EUVD-2026-10914

Sylius is Missing Authorization in API v2 Add Item Endpoint...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/11 12:12 a.m.6 views

Sylius is Missing Authorization in API v2 Add Item Endpoint

Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...

6.9CVSS6AI score0.00182EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/11 12:12 a.m.4 views

GHSA-WJMG-4CQ5-M8HG Sylius is Missing Authorization in API v2 Add Item Endpoint

Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...

6.9CVSS6AI score0.00182EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.8 views

Craft Commerce 安全漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.11.0 and 5.6.0 of Craft Commerce contained security vulnerabilities. These vulnerabilities stemmed from a lack of ownership verification in the shopping cart functionality, which coul...

6.3CVSS5.8AI score0.00284EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/10 9:25 p.m.3 views

CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

6.9CVSS5.9AI score0.00182EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/10 9:25 p.m.46 views

CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

6.9CVSS0.00182EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/10 9:25 p.m.3 views

CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

6.9CVSS5.9AI score0.00182EPSS
Exploits0References1
CVE
CVE
added 2026/03/10 9:25 p.m.25 views

CVE-2026-31821

CVE-2026-31821 affects Sylius (Open Source eCommerce framework on Symfony). The vulnerability is in the POST /api/v2/shop/orders/{tokenValue}/items endpoint, which does not verify cart ownership, allowing an unauthenticated attacker who knows a cart tokenValue to add items to another registered c...

6.9CVSS5.9AI score0.00182EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.3 views

PT-2026-24475

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 Description The POST /api/v2/shop/orders/tokenValue/items endpoint in Sylius does not verify cart ownership. This allows an unauthenticated attacker...

6.9CVSS5.9AI score0.00182EPSS
Exploits0References5
OSV
OSV
added 2024/09/17 7:15 p.m.4 views

CVE-2024-8949

A vulnerability classified as critical has been found in SourceCodester Online Eyewear Shop 1.0. This affects an unknown part of the file /classes/Master.php of the component Cart Content Handler. The manipulation of the argument cartid/id leads to improper ownership management. It is possible to...

8.8CVSS5.5AI score0.00723EPSS
Exploits0References5
Rows per page
Query Builder