PatchSiren cyber security CVE debrief
CVE-2021-47946 Exploit Db CVE debrief
CVE-2021-47946 describes a cross-site request forgery issue in OpenCart's /account/edit flow. In the supplied CVE description, an attacker can trick a logged-in victim into visiting a malicious page that submits unauthorized account changes, including email updates. That can create a path to account takeover if the attacker then uses password reset handling against the modified account.
- Vendor
- Exploit Db
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Organizations running OpenCart storefronts, especially administrators responsible for customer accounts, checkout-related identity controls, and password reset workflows. Security teams should also pay attention because the attack depends on browser-mediated session state and user interaction rather than direct authentication bypass.
Technical summary
The supplied record maps this issue to CWE-352 (CSRF) and describes unauthorized state-changing requests against /account/edit in OpenCart 3.0.36. Because the victim is already authenticated, a malicious web page can induce the browser to send a forged request that changes profile data such as the account email address. If password reset flows trust the updated email without additional verification, the attacker may be able to complete takeover of the account.
Defensive priority
Medium to high. The CVSS score is 6.9 (Medium), but the practical impact can be higher for sites where email changes and password resets are not re-validated.
Recommended defensive actions
- Review the official OpenCart advisory and release/download information linked in the record before deploying fixes.
- Upgrade from affected OpenCart 3.0.36 to a vendor-supported version that includes the CSRF fix.
- Verify that account-edit requests require a valid CSRF token and that the token is checked server-side for all state-changing actions.
- Require additional confirmation for sensitive profile changes, especially email address changes.
- Harden password reset flows so an email change alone is not enough to immediately facilitate takeover.
- Monitor account profile changes and password reset activity for unusual patterns, especially rapid email updates followed by reset requests.
Evidence notes
This debrief is based on the supplied CVE description, the NVD metadata, and the references listed in the NVD record. The record identifies CWE-352 and includes references to an Exploit-DB entry, the OpenCart site, the OpenCart download page, and a VulnCheck advisory. The provided corpus does not include a fixed version number, so remediation guidance is limited to upgrading to a vendor-supported release and validating vendor guidance.
Official resources
Publicly recorded in the supplied CVE/NVD data on 2026-05-10. The NVD entry is marked Received, and its references point to OpenCart and third-party advisory material.