PT-2026-51114 · Packagist · Craftcms/Commerce

Published

2026-06-19

Updated

2026-06-19

CVE-2026-55795

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.

Details

When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.

Vulnerable Code resim

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

An attacker can enumerate all coupon codes through automated requests.

Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

CVE-2026-55795

GHSA-H5GM-X9WR-VHCM

Affected Products

Craftcms/Commerce

PT-2026-51114 · Packagist · Craftcms/Commerce

CVE-2026-55795

Summary

Details

PoC

Impact

Weakness Enumeration

Related Identifiers

Affected Products

References · 4