Key Vulnerability Information from the Webpage Screenshot Vulnerabilities in Quick.Cart Vulnerability 1 CVE ID: CVE-2025-67683 Publication Date: January 22, 2026 Software Vendor: OpenSolution Vulnerable Software: Quick.Cart Vulnerable Version: 6.7 Vulnerability Type (CWE): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) Source of Report: Report to CERT Polska Vulnerability 2 CVE ID: CVE-2025-67684 Publication Date: January 22, 2026 Software Vendor: OpenSolution Vulnerable Software: Quick.Cart Vulnerable Version: 6.7 Vulnerability Type (CWE): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Source of Report: Report to CERT Polska Vulnerability Description CERT Polska received reports of vulnerabilities in OpenSolution Quick.Cart and coordinated the information notification process. Vulnerability CVE-2025-67683: Quick.Cart is vulnerable to Reflected Cross-Site Scripting in the sSort parameter. An attacker can prepare a URL which, upon execution, results in the execution of arbitrary JavaScript code in the user's browser. Vulnerability CVE-2025-67684: Quick.Cart is vulnerable to Local File Inclusion and Path Traversal attacks in the file type selection mechanism. Quick.Cart allowed an unpatched user to stop arbitrary file extensions, which eliminated file naming, enabling an attacker to include the PHP code file and its execution, leading to remote code execution on the server. The manufacturer was previously informed of these vulnerabilities but did not share details about the specific vulnerabilities and the fixed versions. The vulnerabilities were tested and confirmed only in version 6.7 - other versions were not tested and may also be vulnerable. Acknowledgments Thanks to Arkadiusz Marcie for reporting the vulnerabilities. For more information on the vulnerability reporting process, visit: https://cert.pl/cvd/