CVE-2025-50848: A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code.
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.
Security readout for executives and security teams
Plain-English summary
CS-Cart 4.18.3 is reported to allow HTML files to be uploaded and served from the trusted site domain. An attacker could use that to host fake login pages or script content that tricks users, potentially exposing credentials or causing browser-side attacks.
Executive priority
Treat this as a moderate web trust and credential-risk issue. Prioritize internet-facing CS-Cart stores because abuse can damage customer trust even without confirmed active exploitation.
Technical view
The source describes unrestricted HTML upload in CS-Cart 4.18.3, with uploaded HTML rendered directly by browsers. The CVSS 3.1 score is 6.1, reflecting network reachability, low complexity, no privileges, required user interaction, changed scope, and low confidentiality and integrity impact. The mapped weakness is CWE-79.
Likely exposure
Exposure is most likely where CS-Cart 4.18.3 is deployed and upload functionality is reachable by attackers or abused accounts. The affected CPE data is incomplete in the source bundle, so confirm product and version locally.
Exploitation context
The bundle does not cite CISA KEV listing or active exploitation. The described attack depends on uploading crafted HTML and persuading a user to open it from the trusted domain. Evidence supports phishing and XSS-style impact, not server-side code execution detail.
Researcher notes
The provided metadata is internally limited: affected vendor/product fields are n/a, while the description names CS-Cart 4.18.3. No patch version, vendor advisory, or active exploitation evidence is included. Validate against vendor documentation before making final remediation claims.
Mitigation direction
Check CS-Cart vendor guidance for fixed versions or supported workarounds.
Inventory CS-Cart 4.18.3 deployments and public upload surfaces.
Restrict upload access to trusted users until vendor guidance is applied.
Review storage for unknown uploaded HTML files and remove validated malicious content.
Monitor for HTML uploads, suspicious access, and credential-harvesting indicators.
Validation and detection
Confirm whether CS-Cart 4.18.3 is deployed in the environment.
Identify upload paths that accept .html or .htm files.
Verify whether uploaded HTML is served from the main trusted domain.
Review web logs for unexpected HTML upload and access patterns.
Check for user reports tied to suspicious site-hosted login pages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.