Launchpad.net

CVE 2016-4862

Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers.

See the CVE page on Mitre.org for more details.

References