| Title | OpenCart 4.1.0.3 Code Injection (CWE-94) |
|---|
| Description | A Server-Side Template Injection (SSTI) vulnerability exists in OpenCart x.x.x.x through the latest commit in the Template Editor functionality (admin/controller/design/template.php). This is a regression of CVE-2024-36694, which identified the same SSTI vulnerability in the Theme Editor (admin/controller/design/theme.php) in OpenCart 4.0.2.3. In response to CVE-2024-36694, the codebase was refactored from theme.php to template.php — the class name changed from Theme to Template, the UI was updated from a form dropdown to a file browser, and file extension validation (.twig only) was added. However, the core vulnerability was never remediated. The save() method in template.php still accepts user-supplied Twig template code via POST input and stores it directly to the database without any sanitization, validation, or Twig sandboxing. When the modified template is rendered on the frontend, the injected code executes server-side. Using the payload {{['id']|filter('system')}}, an authenticated administrator achieves remote code execution as the web server user, including reverse shell access. The root cause remains unchanged across all versions: the Twig filter, map, and reduce filters are unrestricted, allowing execution of arbitrary PHP functions such as system(). No SSTI protection, code validation, or Twig sandbox has been implemented in any version. |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1_ZCvICLKo8AOovDkKFHwsBxh-ciwbElS/view?usp=drive_link |
|---|
| User | Schlop (UID 95727) |
|---|
| Submission | 02/21/2026 17:12 (2 months ago) |
|---|
| Moderation | 03/07/2026 11:59 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 349659 [OpenCart 4.0.2.3 Incomplete Fix CVE-2024-36694 template.php save special elements used in a template engine] |
|---|
| Points | 20 |
|---|