Cyber Resilience

CVE-2025-67684

Critical

Published: 22 January 2026

Published
22 January 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0073 49.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-67684 is a critical-severity Path Traversal (CWE-22) vulnerability in Opensolution Quick.Cart. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-67684 affects Quick.Cart, an internet shop software, due to Local File Inclusion (LFI) and Path Traversal vulnerabilities in its theme selection mechanism. The application permits privileged users to upload arbitrary file contents while performing only superficial validation on the filename extension. This flaw enables attackers to upload PHP files that can then be included and executed, culminating in remote code execution (RCE) on the server. Only version 6.7 has been tested and confirmed vulnerable, though other versions may also be affected, as the vendor provided no details on the vulnerable range despite early notification.

Exploitation requires high privileges (PR:H), can be performed over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), and results in unchanged scope (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 7.2. A privileged attacker, such as an authenticated administrator, could leverage the theme upload feature to craft a malicious PHP file disguised with a valid extension, traverse paths to place it in an executable directory, and trigger its inclusion via theme selection, achieving full RCE.

Advisories note that the vendor was notified early but did not respond with vulnerability details, affected versions, or patches. Relevant references include a CERT.PL advisory at https://cert.pl/posts/2026/01/CVE-2025-67683 and the Quick.Cart product page at https://opensolution.org/sklep-internetowy-quick-cart.html, which provide further context but no specific mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute…

more

uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI+path traversal in web app theme upload enables direct web shell deployment and RCE on public-facing server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23796Same product: Opensolution Quick.Cart
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2019-25480Shared CWE-22
CVE-2026-39844Shared CWE-22

Affected Assets

opensolution
quick.cart
6.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of uploaded file contents, names, and paths beyond simple extension checks to block traversal and malicious PHP inclusion.

preventdetect

Requires integrity verification of uploaded theme files to detect unauthorized or malicious code before execution via the selection mechanism.

prevent

Restricts the application to only necessary functionality, disabling or limiting arbitrary file upload and dynamic inclusion features that enable RCE.

References