Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
osCommerce: Malicious Code Can Be Injected Through Currency Parameter
CVE-2019-25497
Summary
osCommerce, a shopping cart software, has a bug that allows hackers to inject malicious code into the database. This can happen when a user enters a special value in the currency field, allowing the hacker to access sensitive information. To protect your store, update to a fixed version of osCommerce or apply the recommended patch.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| oscommerce | oscommerce | <= 2.3.4.1 | – |
Original title
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can se...
Original description
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
- https://www.exploit-db.com/exploits/46328 Exploit VDB Entry
- https://www.oscommerce.com Product
- https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-currency-param... Third Party Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026