Aggregates CVE and security vulnerability intelligence across all kartatopia-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf and vendor risk path handling and related problems; some flaws may lead to vendor impact data exposure, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2019-25672 | PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Attackers can submit POST requests to the comment submission endpoint with RLIKE-based boolean SQL injection payloads to extract sensitive database information. | [email protected] | 8.8 | 0.02% | 2026-04-05 | 2026-04-09 |
| CVE-2019-16123 | In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure. | [email protected] | 7.5 | 47.66% | 2019-09-09 | 2024-11-21 |
| CVE-2019-9769 | PilusCart 1.4.1 is vulnerable to index.php?module=users&action=newUser CSRF, leading to the addition of a new user as administrator. | [email protected] | 8.8 | 0.27% | 2019-03-14 | 2024-11-21 |