CVE-2021-47946

MEDIUM 5.3

OpenCart 3.0.3.6 Account Takeover via Cross Site Request Forgery

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.

CWE	CWE-352
Vendor	opencart
Product	opencart
Published	May 10, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for opencart opencart

Be the first to know when new medium vulnerabilities affecting opencart opencart are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

Opencart / OpenCart

3.0.3.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/49407 opencart.com: https://www.opencart.com opencart.com: https://www.opencart.com/index.php?route=cms/download vulncheck.com: https://www.vulncheck.com/advisories/opencart-account-takeover-via-cross-site-request-forgery

Credits

Mahendra Purbia {Mah3Sec}