CVE-2026-23796

Session Fixation in Quick.Cart

CVSS 4.8 MEDIUMEPSS 0.3%CWE-384

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

05 feb 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Productos afectados

OpenSolution · Quick.Cart

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://cert.pl/posts/2026/02/CVE-2026-23796 https://opensolution.org/sklep-internetowy-quick-cart.html