{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23796", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-01-16T13:19:49.040Z", "datePublished": "2026-02-05T11:07:59.954Z", "dateUpdated": "2026-02-05T14:19:55.348Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Quick.Cart", "vendor": "OpenSolution", "versions": [{"status": "affected", "version": "6.7", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Beniamin Jab\u0142o\u0144ski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication.&nbsp;This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.</span><br><br>The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.<br>"}], "value": "Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication.\u00a0This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "impacts": [{"capecId": "CAPEC-61", "descriptions": [{"lang": "en", "value": "CAPEC-61 Session Fixation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 4.8, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-02-05T11:07:59.954Z"}, "references": [{"tags": ["product"], "url": "https://opensolution.org/sklep-internetowy-quick-cart.html"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/02/CVE-2026-23796"}], "source": {"discovery": "EXTERNAL"}, "title": "Session Fixation in Quick.Cart", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:19:42.807742Z", "id": "CVE-2026-23796", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:19:55.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23796", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:19:42.807742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:19:50.281Z"}}], "cna": {"title": "Session Fixation in Quick.Cart", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Beniamin Jab\u0142o\u0144ski"}], "impacts": [{"capecId": "CAPEC-61", "descriptions": [{"lang": "en", "value": "CAPEC-61 Session Fixation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenSolution", "product": "Quick.Cart", "versions": [{"status": "affected", "version": "6.7", "versionType": "semver"}], "defaultStatus": "unknown"}], "references": [{"url": "https://opensolution.org/sklep-internetowy-quick-cart.html", "tags": ["product"]}, {"url": "https://cert.pl/posts/2026/02/CVE-2026-23796", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication.\u00a0This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication.&nbsp;This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.</span><br><br>The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384 Session Fixation"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-02-05T11:07:59.954Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23796", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:19:55.348Z", "dateReserved": "2026-01-16T13:19:49.040Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-02-05T11:07:59.954Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*", "matchCriteriaId": "0544991D-06F2-4207-BAA0-5045BC483E61", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication.\u00a0This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "id": "CVE-2026-23796", "lastModified": "2026-02-19T18:31:45.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-02-05T12:16:01.743", "references": [{"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2026/02/CVE-2026-23796"}, {"source": "cvd@cert.pl", "tags": ["Product"], "url": "https://opensolution.org/sklep-internetowy-quick-cart.html"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:02:26.241962+00:00", "value": {"mitigation_remediation": ["Ensure the application regenerates the session ID upon successful authentication so that any pre\u2011auth session token is invalidated.", "If a vendor patch for Quick.Cart 6.7 is released, apply it immediately.", "Until a patch is available, block or filter requests that set a session ID before authentication using a web\u2011application firewall or server\u2011side validation.", "As a temporary measure, invalidate all existing sessions at the time of user login to reduce the window of opportunity for hijacking.", "Update your monitoring to detect repeated attempts to bind a session ID pre\u2011authentication and alert administrators."], "summary": {"action": "Patch Now", "impact": "Session Hijacking via Fixation"}, "threat_synthesis": {"affected_systems": "The affected product is OpenSolution Quick.Cart. Version 6.7 was confirmed vulnerable, and other versions have not been tested but may also share the same issue. No other versions or product variants were mentioned in the vendor notice.", "description_and_impact": "Quick.Cart allows a user\u2019s session identifier to be set before authentication and preserves that value after login, enabling attackers to predefine a session ID for a victim and later hijack the authenticated session. This flaw, classified as CWE\u2011384, leads to unauthorized access by masquerading as the victim, potentially exposing confidential data and permitting further malicious actions.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 4.8, indicating moderate severity. The EPSS value is less than 1\u202f%, suggesting currently low exploitation probability. It is not listed in the CISA KEV catalog. Attackers could exploit the flaw by crafting requests that set a session cookie before authentication, a path typical to web applications that allow cookie manipulation. Because no patch is publicly available, the risk remains unless mitigated by configuration changes."}}}}, "created": "2026-02-06T12:05:45.112019+00:00", "updated": "2026-04-17T23:15:30.793851+00:00", "vendors": ["opensolution", "opensolution$PRODUCT$quick.cart"]}