A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2CWE-362
OpenCart Single-Use Coupon race condition
Problem type
Affected products
OpenCart
4.1.0.0 - AFFECTED
4.1.0.1 - AFFECTED
4.1.0.2 - AFFECTED
4.1.0.3 - AFFECTED
References
VDB-338494 | OpenCart Single-Use Coupon race condition
https://vuldb.com/?id.338494
VDB-338494 | CTI Indicators (IOB, IOC)
https://vuldb.com/?ctiid.338494
Submit #711745 | OpenCart 4.1.0.3 Time-of-check Time-of-use
https://vuldb.com/?submit.711745
gist.github.com
https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01
gist.github.com
https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01#steps-to-reproduce
GitHub Security Advisories
GHSA-wgfq-49px-5cwg
A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some...
https://github.com/advisories/GHSA-wgfq-49px-5cwgA security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2025-15116
gist.github.com
https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01
gist.github.com
https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01#steps-to-reproduce
vuldb.com
https://vuldb.com/?ctiid.338494
vuldb.com
https://vuldb.com/?id.338494
vuldb.com
https://vuldb.com/?submit.711745
github.com
https://github.com/advisories/GHSA-wgfq-49px-5cwg
JSON source
https://cveawg.mitre.org/api/cve/CVE-2025-15116Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-15116",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2025-12-28T02:02:06.876Z",
"dateReserved": "2025-12-27T08:41:00.853Z",
"datePublished": "2025-12-28T02:02:06.876Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2025-12-28T02:02:06.876Z"
},
"title": "OpenCart Single-Use Coupon race condition",
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "n/a",
"product": "OpenCart",
"modules": [
"Single-Use Coupon Handler"
],
"versions": [
{
"version": "4.1.0.0",
"status": "affected"
},
{
"version": "4.1.0.1",
"status": "affected"
},
{
"version": "4.1.0.2",
"status": "affected"
},
{
"version": "4.1.0.3",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Race Condition",
"cweId": "CWE-362",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.338494",
"name": "VDB-338494 | OpenCart Single-Use Coupon race condition",
"tags": [
"vdb-entry"
]
},
{
"url": "https://vuldb.com/?ctiid.338494",
"name": "VDB-338494 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.711745",
"name": "Submit #711745 | OpenCart 4.1.0.3 Time-of-check Time-of-use",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01",
"tags": [
"related"
]
},
{
"url": "https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01#steps-to-reproduce",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"baseScore": 3.7,
"baseSeverity": "LOW"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"baseScore": 3.7,
"baseSeverity": "LOW"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"baseScore": 2.6
}
}
],
"timeline": [
{
"time": "2025-12-27T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2025-12-27T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2025-12-27T09:46:36.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "KhanMarshal (VulDB User)",
"type": "reporter"
}
]
}
}
}