Cross-Site Request Forgery Vulnerability in OpenCart by OpenCart
CVE-2021-47946

6.9MEDIUM

Key Information:

Vendor: Opencart
Status: Opencart
Vendor: CVE Published:; 10 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-47946?

OpenCart 3.0.36 is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that can be exploited by attackers to manipulate user account details. This issue resides in the /account/edit endpoint, permitting unauthorized alterations to victim account information. By luring users into visiting specifically crafted malicious pages, attackers can execute CSRF payloads. These payloads allow them to change crucial details such as email addresses, facilitating unauthorized access through the password reset process. Adequate measures should be taken to safeguard against such vulnerabilities to protect user data.

Affected Version(s)

OpenCart 3.0.3.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-47946 - Proof of Concept

References

https://www.exploit-db.com/exploits/49407

exploit

https://www.opencart.com

product

https://www.opencart.com/index.php?route=cms/download

product

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 10, 2026
👾
Exploit known to exist
May 10, 2026
Vulnerability published
May 10, 2026
Vulnerability Reserved
Feb 1, 2026

Credit

Mahendra Purbia {Mah3Sec}

CVE-2021-47946 Data

JSON

Opencart

Badges

What is CVE-2021-47946?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit