CVE-2025-1748: 
OpenCart vulnerability analysis and mitigation

HTML injection vulnerability (CVE-2025-1748) affects OpenCart versions prior to 4.1.0. The vulnerability was discovered and disclosed on February 28, 2025, by the Spanish National Cybersecurity Institute (INCIBE). This vulnerability specifically impacts the account registration functionality of OpenCart e-commerce platform (NVD, INCIBE).

The vulnerability allows an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in the /account/register endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows attackers to perform HTML injection attacks that could modify the content displayed in the victim's browser. This could potentially lead to user interface manipulation and possible phishing attacks through modified registration page content (INCIBE).

The vulnerability has been fixed in OpenCart version 4.1.0. Users are advised to upgrade to this version or later to mitigate the risk. No temporary workarounds have been published (INCIBE).