OpenSolution Quick.Cart Reflected XSS and Path Traversal Leading to RCE (CVE-2025-67683, CVE-2025-67684)

Key Vulnerability Information from the Webpage Screenshot Vulnerabilities in Quick.Cart Vulnerability 1 CVE ID: CVE-2025-67683 Publication Date: January 22, 2026 Software Vendor: OpenSolution Vulnerable Software: Quick.Cart Vulnerable Version: 6.7 Vulnerability Type (CWE): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) Source of Report: Report to CERT Polska Vulnerability 2 CVE ID: CVE-2025-67684 Publication Date: January 22, 2026 Software Vendor: OpenSolution Vulnerable Software: Quick.Cart Vulnerable Version: 6.7 Vulnerability Type (CWE): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Source of Report: Report to CERT Polska Vulnerability Description CERT Polska received reports of vulnerabilities in OpenSolution Quick.Cart and coordinated the information notification process. Vulnerability CVE-2025-67683: Quick.Cart is vulnerable to Reflected Cross-Site Scripting in the sSort parameter. An attacker can craft a URL that, when executed, results in the execution of arbitrary JavaScript code in the user's browser. Vulnerability CVE-2025-67684: Quick.Cart is vulnerable to Local File Inclusion and Path Traversal attacks in the file type selection mechanism. Quick.Cart allowed an unpatched user to bypass file extension restrictions, effectively eliminating file name validation, enabling an attacker to include and execute PHP code files, leading to remote code execution on the server. The manufacturer was previously informed of these vulnerabilities but did not disclose details about the specific vulnerabilities or the fixed versions. The vulnerabilities were tested and confirmed only in version 6.7 — other versions were not tested and may also be vulnerable. Acknowledgments Thanks to Arkadiusz Marcie for reporting the vulnerabilities. For more information on the vulnerability reporting process, visit: https://cert.pl/cvd/

Goal Reached Thanks to every supporter — we hit 100%!

OpenSolution Quick.Cart Reflected XSS and Path Traversal Leading to RCE (CVE-2025-67683, CVE-2025-67684)