CVE-2025-45893
OpenCart 4.1.0.4 Cross Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript
La versión 4.1.0.4 de OpenCart es vulnerable a un ataque de Cross-Site Scripting (XSS) Almacenado mediante la carga de archivos SVG utilizados en entradas de blog. Esta vulnerabilidad surge porque los archivos SVG subidos a través del gestor de contenido multimedia no se depuran correctamente. Los atacantes pueden manipular un archivo SVG malicioso con JavaScript incrustado.
OpenCart versions 4.1.0.4 and below suffer from multiple persistent cross site scripting vulnerabilities. These findings exist in the blog editor and via SVG file uploads.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2025-04-22 CVE Reserved
- 2025-06-26 CVE Published
- 2025-08-07 CVE Updated
- 2025-08-07 EPSS Updated
- 2025-08-07 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.opencart.com | Product |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/202886 | 2025-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Opencart Search vendor "Opencart" | Opencart Search vendor "Opencart" for product "Opencart" | <= 4.1.0.4 Search vendor "Opencart" for product "Opencart" and version " <= 4.1.0.4" | - |
Affected
| ||||||