Description
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
Published: 2026-05-11
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting (XSS) flaw in the /collection/ endpoint of the Cradle eCommerce demo. User input is insecurely reflected in the resulting HTML, allowing an attacker to inject and execute arbitrary JavaScript on the victim’s browser. This injection can lead to session hijacking, defacement or phishing attacks, effectively giving the attacker the ability to run client‑side code while the legitimate user is authenticated or browsing the site. The weakness is identified as CWE‑79.

Affected Systems

The affected product is Cradle eCommerce, specifically the demo version that includes the /collection/ endpoint. The vendor/product list indicates e-commerce:Cradle; no specific version is listed, so any installation using the demo "/collection/" feature before the latest update is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. The EPSS score is unavailable, suggesting no public reports yet. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote via crafted URLs that a victim is prompted to follow. Because it is a reflected XSS, it requires the victim to visit the malicious URL; it does not require special local privileges. If a user visits the crafted link, the injected script runs in the context of the Cradle domain, giving the attacker client‑side execution capabilities.

Generated by OpenCVE AI on May 11, 2026 at 17:38 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by the Cradle team in the latest version of Cradle eCommerce. This issue does not affect Cradle CMS, as it does not include products or collections, nor does it have customer accounts for logging in.

OpenCVE Recommended Actions

  • Upgrade Cradle eCommerce to the latest release that contains the XSS fix.
  • If upgrading immediately is not feasible, add output encoding or sanitization on the /collection/ endpoint so that user‑controlled data is not reflected unescaped.
  • After applying the fix or sanitization, perform targeted testing or scanning to confirm that no reflected XSS payload can be injected via the /collection/ endpoint.

Generated by OpenCVE AI on May 11, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
Title Multiple vulnerabilities in Cradle e-commerce
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-11T17:34:22.293Z

Reserved: 2026-02-27T10:16:11.024Z

Link: CVE-2026-3319

cve-icon Vulnrichment

Updated: 2026-05-11T17:34:17.792Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:30.850

Modified: 2026-05-11T16:17:30.850

Link: CVE-2026-3319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:45:26Z

Weaknesses