CVE-2024-53412
Published: 15 April 2026
Description
Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like the Port field to reject malicious command injection payloads, directly preventing exploitation in the connect function.
SI-2 mandates identification, reporting, testing, and installation of patches to remediate the command injection flaw in ShoppingCart 0.0.2.
SI-4 enables monitoring for indicators of successful command injection, such as anomalous shell executions triggered by Port field payloads.
Security SummaryAI
CVE-2024-53412 is a command injection vulnerability in the connect function of NietThijmen ShoppingCart version 0.0.2. The flaw allows attackers to inject malicious payloads into the Port field, enabling the execution of arbitrary shell commands and achieving remote code execution. It carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-77 (Command Injection). The vulnerability was published on 2026-04-15.
A local attacker with no privileges required can exploit this issue with low attack complexity and no user interaction. By crafting payloads for the Port field, the attacker can execute arbitrary shell commands, leading to remote code execution with high impacts on confidentiality, integrity, and availability.
Advisories and further details are documented in GitHub repositories, including https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md and https://github.com/NietThijmen/ShoppingCart/issues/1.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Port field enables arbitrary shell command execution (T1059.004) and local RCE for privilege escalation (T1068).