CVE-2025-1746: 
OpenCart vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability has been discovered in OpenCart versions prior to 4.1.0, identified as CVE-2025-1746. The vulnerability was discovered and reported by Gonzalo Aguilar García (6h4ack) and was disclosed on February 28, 2025. This security flaw affects the OpenCart e-commerce platform, specifically impacting the product search functionality (INCIBE Alert).

The vulnerability exists in the /product/search endpoint of OpenCart installations. When exploited, it allows attackers to execute JavaScript code in the victim's browser through a specially crafted malicious URL using the search functionality. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and is classified as CWE-79 (Cross-site Scripting) (INCIBE Alert).

If successfully exploited, the vulnerability could allow attackers to steal sensitive user data, such as session cookies, or perform actions on behalf of the victim user. The impact is particularly concerning for e-commerce platforms where sensitive customer and payment information may be processed (INCIBE Alert).

The vulnerability has been patched in OpenCart version 4.1.0. Users and administrators of OpenCart installations are strongly advised to upgrade to this version or later to protect against potential exploitation (INCIBE Alert).