Lucene search
K

8 matches found

Cvelist
Cvelist
added 2026/05/15 6:46 p.m.58 views

CVE-2026-46408 Vvveb: checkout IDOR allows unauthorized reuse of another user's cart

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cartid and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another...

7.6CVSS0.002EPSS
Exploits0References1
CVE
CVE
added 2026/05/15 6:46 p.m.23 views

CVE-2026-46408

Vvveb CMS vulnerable before 1.0.8.3: the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership, enabling a logged-in attacker to reuse another user’s cart in their own checkout session. The fixed version is 1.0.8.3. Impact per s...

7.6CVSS5.8AI score0.002EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.19 views

PT-2026-41371

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse anothe...

7.6CVSS5.8AI score0.002EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.4 views

CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

6.9CVSS6AI score0.00182EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/11 12:12 a.m.7 views

Sylius is Missing Authorization in API v2 Add Item Endpoint

Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...

6.9CVSS6AI score0.00182EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-26221

Malware in sbrugna...

6.5CVSS6.4AI score0.01567EPSS
Exploits0References4
OSV
OSV
added 2022/05/24 7:17 p.m.5 views

GHSA-94WQ-87G6-8H77 Magento Open Source allows Cross-Site Request Forgery (CSRF)

Adobe Commerce versions 2.4.2-p2 and earlier, 2.4.3 and earlier and 2.3.7p1 and earlier are affected by a cross-site request forgery CSRF vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to a customer's cart by an unauthenticated attacker. Acces...

7.1CVSS6.2AI score0.01567EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2021/10/15 2:21 p.m.7 views

CVE-2021-39864 Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition

Adobe Commerce versions 2.4.2-p2 and earlier, 2.4.3 and earlier and 2.3.7p1 and earlier are affected by a cross-site request forgery CSRF vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to...

6.5CVSS7AI score0.01567EPSS
Exploits0References1
Rows per page
Query Builder