CVE-2026-23796CRITICAL 9.8EPSS p18.2%

CVE-2026-23796CVE-2026-23796

Description

Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.27% probability of exploitation · percentile 18.2% · 2026-06-19T12:03:05Z
Published2026-02-05
Last modified2026-02-19

Underlying weaknesses· 1

CWE-384

References

  1. https://cert.pl/posts/2026/02/CVE-2026-23796
  2. https://opensolution.org/sklep-internetowy-quick-cart.html

1

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-3840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-24352
CVE
CVE-2026-2347
CVE
CVE-2025-69602
CVE
CVE-2026-25101
CVE
CVE-2025-59786
CVE
CVE-2026-32422
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.