Executive Summary

CVE-2026-3714 is a Server-Side Template Injection (SSTI) vulnerability found in OpenCart version 4.0.2.3, specifically in the save function of the file admin/controller/design/template.php. It is an incomplete fix of a previous vulnerability (CVE-2024-36694). The vulnerability arises because the save() method accepts user-supplied Twig template code via POST requests and stores it directly in the database without any sanitization, validation, or sandboxing.

When the modified template is rendered on the frontend, the injected code executes on the server side. This happens because Twig filters that allow execution of arbitrary PHP functions are unrestricted, enabling an attacker with administrator authentication to inject malicious payloads that can execute system commands.

No protections such as code validation or Twig sandboxing have been implemented in any OpenCart version to mitigate this issue, making the vulnerability persistent despite UI and codebase changes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the web server with the privileges of the web server user. An authenticated administrator can exploit this to execute arbitrary PHP functions, including system commands, potentially gaining reverse shell access.

The impact includes compromise of confidentiality, integrity, and availability of the affected system. Attackers could execute malicious code, manipulate data, disrupt services, or gain unauthorized access to the server environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the vulnerable file admin/controller/design/template.php in OpenCart version 4.0.2.3 or similar versions. One method to detect potentially vulnerable targets is by using Google dorking with queries such as "inurl:admin/controller/design/template.php" to find exposed instances.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the save() function accepting unsanitized Twig template code via POST requests, monitoring or logging POST requests to this endpoint for suspicious payloads containing Twig syntax (e.g., {{...}}) could help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided, but general approaches include:'}, {'type': 'list_item', 'content': 'Using web server access logs or intrusion detection systems (IDS) to look for POST requests to admin/controller/design/template.php containing Twig template expressions.'}, {'type': 'list_item', 'content': 'Searching the file system for the presence of the vulnerable file, e.g., using: find /path/to/opencart/ -name template.php'}, {'type': 'list_item', 'content': 'Using Google dork: inurl:admin/controller/design/template.php'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

No known countermeasures or mitigations have been published for this vulnerability. The vendor did not respond to early disclosure, and the vulnerability remains unpatched.

Immediate steps to mitigate the risk include:

• Restrict access to the admin interface, especially the template editor functionality, to trusted administrators only.
• Implement network-level protections such as IP whitelisting or VPN access for the admin panel.
• Monitor and log POST requests to the vulnerable endpoint for suspicious Twig template payloads.
• Consider replacing the affected component or upgrading to a version that addresses this issue once available.

Useful 0 Not Useful 0