Login Sign Up

CVE-2023-26691

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on CS-Cart MultiVendor systems through directory traversal in zip file handling during add-on installation. Attackers can upload malicious zip files that extract files outside intended directories, leading to remote code execution. All users running vulnerable versions of CS-Cart MultiVendor are affected.

💻 Affected Systems

Products:
  • CS-Cart MultiVendor
Versions: 4.16.1 and potentially earlier versions
Operating Systems: All platforms running CS-Cart MultiVendor
Default Config Vulnerable: ⚠️ Yes
Notes: Requires add-on installation functionality to be accessible, which is typically available to administrators.

📦 What is this software?

Cs Cart Multivendor by Cs Cart

View all CVEs affecting Cs Cart Multivendor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.

🟠

Likely Case

Web server compromise leading to data theft, defacement, or installation of cryptocurrency miners or malware.

🟢

If Mitigated

Attack fails due to proper input validation and file extraction restrictions, resulting in no impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative access or ability to upload zip files through the add-on installation interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.2 or later

Vendor Advisory: https://www.cs-cart.com/

Restart Required: No

Instructions:

1. Backup your CS-Cart installation and database. 2. Download the latest version from the official CS-Cart website. 3. Follow the official upgrade instructions for your version. 4. Verify the patch by checking the version number.

🔧 Temporary Workarounds

Disable Add-on Installation

all

Temporarily disable the ability to install new add-ons through the admin interface.

Restrict File Uploads

all

Implement web application firewall rules to block suspicious zip file uploads.

🧯 If You Can't Patch

  • Implement strict file upload validation and sanitization for zip files
  • Restrict administrative access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if running CS-Cart MultiVendor version 4.16.1 or earlier by examining the version in admin panel or configuration files.

Check Version:

Check admin panel dashboard or examine includes/config.php for version information

Verify Fix Applied:

Verify installation of version 4.16.2 or later and test zip file upload functionality with malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual zip file uploads to add-on installation endpoints
  • File extraction attempts outside designated directories
  • Suspicious file creation in system directories

Network Indicators:

  • HTTP POST requests with zip files to admin/addon_install endpoints
  • Unusual outbound connections from web server

SIEM Query:

source="web_server" AND (uri_path="/admin/addon_install" OR uri_path="/admin.php?dispatch=addons.install") AND file_extension="zip"

📊 Metadata

CVE ID: CVE-2023-26691
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: September 25, 2024
Last Updated: April 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26691, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)