Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/express-cart@1.1.4
purl pkg:npm/express-cart@1.1.4
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-atgx-r2qy-8ufe
Aliases:
GHSA-f5cv-xrv9-r8w7
GMS-2020-717
NoSQL injection in express-cart Versions of `express-cart` before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the `$regex` operator is used to guess each character of the token from the start. ## Recommendation Update to version 1.1.8 or later.
1.1.8
Affected by 1 other vulnerability.
VCID-cftz-enwf-6uht
Aliases:
GHSA-8h8v-6qqm-fwpq
GMS-2020-715
Relative Path Traversal in express-cart.
1.1.6
Affected by 3 other vulnerabilities.
1.1.7
Affected by 2 other vulnerabilities.
VCID-eb7w-y953-67dy
Aliases:
GHSA-9pr3-7449-977r
GMS-2020-716
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart. There are no reported fixed by versions.
VCID-ewh1-bpnm-8fh4
Aliases:
GHSA-3fc5-9x9m-vqc4
GMS-2019-122
Privilege Escalation in express-cart Versions of `express-cart` before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users. ## Recommendation Update to version 1.1.6 or later.
1.1.6
Affected by 3 other vulnerabilities.
VCID-w999-rut7-z3cc
Aliases:
CVE-2018-3758
GHSA-4w62-cq5r-5mmq
Path Traversal Unrestricted file upload (RCE)
1.1.7
Affected by 2 other vulnerabilities.
VCID-wk1m-n6h7-ufbv
Aliases:
CVE-2018-16483
GHSA-wj36-v8j4-pc7c
Improper Privilege Management A deficiency in the access control in module express-cart allows unprivileged users to add new users to the application as administrators.
1.1.6
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:36:07.713488+00:00 GitLab Importer Affected by VCID-eb7w-y953-67dy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express-cart/GMS-2020-716.yml 38.6.0
2026-06-04T20:35:13.411914+00:00 GitLab Importer Affected by VCID-atgx-r2qy-8ufe https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express-cart/GMS-2020-717.yml 38.6.0
2026-06-04T20:35:01.073905+00:00 GitLab Importer Affected by VCID-cftz-enwf-6uht https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express-cart/GMS-2020-715.yml 38.6.0
2026-06-04T20:22:11.876936+00:00 GitLab Importer Affected by VCID-ewh1-bpnm-8fh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express-cart/GHSA-3fc5-9x9m-vqc4.yml 38.6.0
2026-06-04T20:18:43.996823+00:00 GitLab Importer Affected by VCID-wk1m-n6h7-ufbv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express-cart/CVE-2018-16483.yml 38.6.0
2026-06-04T20:12:56.646414+00:00 GitLab Importer Affected by VCID-w999-rut7-z3cc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express-cart/CVE-2018-3758.yml 38.6.0