Description
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
Published: 2026-05-11
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw located in the demo version of the Cradle eCommerce platform. User‑controlled data entered via the /product/ endpoint is incorporated into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript code in the browser context of anyone who visits the affected page. This could enable session hijacking, credential theft, or the execution of malicious scripts with the privileges of the compromised user.

Affected Systems

The Cradle eCommerce platform is affected; the issue specifically targets the demo installation that ships with the product. No exact version numbers are listed in the advisory, so any deployment that includes the unpatched demo code is considered vulnerable.

Risk and Exploitability

The CVSS rating of 5.1 places the vulnerability in the medium severity range. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting a lower public exploitation likelihood at present. Attackers would need to lure users to the vulnerable /product/ page, and exploitation would be limited to scripts run within the victim’s browser. Nonetheless, because it permits arbitrary JavaScript execution, the potential impact on confidentiality, integrity, and availability of user sessions is significant.

Generated by OpenCVE AI on May 11, 2026 at 17:03 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by the Cradle team in the latest version of Cradle eCommerce. This issue does not affect Cradle CMS, as it does not include products or collections, nor does it have customer accounts for logging in.

OpenCVE Recommended Actions

  • Apply the latest Cradle eCommerce release, which contains the fix for the XSS flaw.
  • If upgrading is delayed, restrict or remove public access to the demo /product/ endpoint to prevent exploitation.
  • Ensure server‑side output encoding or input sanitization is enforced for all user‑supplied data displayed on the site to mitigate future XSS attempts.

Generated by OpenCVE AI on May 11, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
Title Multiple vulnerabilities in Cradle e-commerce
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-11T17:33:57.767Z

Reserved: 2026-02-27T10:16:12.434Z

Link: CVE-2026-3320

cve-icon Vulnrichment

Updated: 2026-05-11T17:33:54.632Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:31.000

Modified: 2026-05-11T16:17:31.000

Link: CVE-2026-3320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:40Z

Weaknesses