{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5331", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T13:50:33.935Z", "datePublished": "2026-04-02T13:00:13.393Z", "dateUpdated": "2026-04-02T13:14:33.219Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T13:00:13.393Z"}, "title": "OpenCart Extension Installer installer.php path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "n/a", "product": "OpenCart", "versions": [{"version": "4.1.0.3", "status": "affected"}], "cpes": ["cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*"], "modules": ["Extension Installer Page"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-01T15:55:38.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "hai271120 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354665", "name": "VDB-354665 | OpenCart Extension Installer installer.php path traversal", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/354665/cti", "name": "VDB-354665 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780814", "name": "Submit #780814 | OpenCart 4.1.0.3 Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/1YemSW2Tn0LKzY3mPosMzElQeHs8P3LMt/view?usp=sharing", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:14:15.042801Z", "id": "CVE-2026-5331", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:14:33.219Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5331", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:14:15.042801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:14:21.453Z"}}], "cna": {"title": "OpenCart Extension Installer installer.php path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "hai271120 (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["Extension Installer Page"], "product": "OpenCart", "versions": [{"status": "affected", "version": "4.1.0.3"}]}], "timeline": [{"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-01T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-01T15:55:38.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354665", "name": "VDB-354665 | OpenCart Extension Installer installer.php path traversal", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/354665/cti", "name": "VDB-354665 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780814", "name": "Submit #780814 | OpenCart 4.1.0.3 Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/1YemSW2Tn0LKzY3mPosMzElQeHs8P3LMt/view?usp=sharing", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T13:00:13.393Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5331", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:14:33.219Z", "dateReserved": "2026-04-01T13:50:33.935Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-02T13:00:13.393Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5331", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T13:16:27.870", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/1YemSW2Tn0LKzY3mPosMzElQeHs8P3LMt/view?usp=sharing"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780814"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354665"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354665/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.1.0.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenCart", "source": "cna", "vendor": "n/a"}, "product": "opencart", "vendor": "opencart"}], "analysis": {"en": {"generated_at": "2026-04-02T15:35:35.101636+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of OpenCart or remove the Extension Installer component if it required", "Restrict access to installer.php by requiring authentication or limiting requests to known IP addresses", "Deploy a web application firewall rule that blocks path traversal patterns such as \"..\" or encoded equivalents on installer.php", "Validate and sanitize all file path parameters on the server to ensure directory traversal characters are not permitted", "Monitor server logs for suspicious requests to installer.php containing traversal patterns and investigate any unauthorized access attempts"], "summary": {"action": "Apply Patch", "impact": "Unauthorized file access via path traversal"}, "threat_synthesis": {"affected_systems": "The affected product is OpenCart, specifically the 4.1.0.3 release of the Extension Installer component. No other versions or products are explicitly listed as affected.", "description_and_impact": "A path traversal vulnerability exists in the installer.php script of the Extension Installer page in OpenCart 4.1.0.3. The flaw allows an attacker to supply a crafted request that causes the application to resolve a file path outside the intended directory. This results in the ability to read files on the server that are not meant to be exposed, potentially exposing configuration files, credentials, or other sensitive data. The likely impact is disclosure of confidential information beyond the scope of the user\u2019s privileges.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it is not a widely exploited or high\u2011profile issue. The attack can be launched remotely by sending a crafted request to installer.php. There is no official patch or upgrade path provided by the vendor in the supplied data, so exploitation remains feasible until a fix is released. The potential damage is primarily the unauthorized disclosure of files, which could lead to further compromise if sensitive credentials are exposed."}}}}, "created": "2026-04-02T20:12:37.886149+00:00", "updated": "2026-04-02T20:21:18.031571+00:00", "vendors": ["opencart", "opencart$PRODUCT$opencart"]}