Description
An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.
Published: 2026-04-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

A classic SQL injection flaw allows an attacker to execute arbitrary SQL commands against the database. If exploited, an attacker could read sensitive information, modify or delete data, and potentially gain administrative access through the vulnerable e‑commerce platform.

Affected Systems

CubeCart Limited’s CubeCart platform prior to version 6.6.0 is vulnerable. All releases older than 6.6.0 may be affected, with no specific patch noted for individual minor revisions.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk level. Exploitation likelihood has not been quantified. The vulnerability is not listed in the known exploited vulnerabilities catalog. Attack vectors are likely remote, using crafted HTTP requests targeting user input fields, with no special prerequisites beyond access to the application.

Generated by OpenCVE AI on April 17, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure backups of the website and database are taken before making changes.
  • Update CubeCart to version 6.6.0 or newer to eliminate the injection flaw.
  • If an immediate upgrade is not possible, deploy input validation or web application firewall rules to block suspicious SQL payloads.

Generated by OpenCVE AI on April 17, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Fri, 17 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-17T12:20:12.217Z

Reserved: 2026-04-13T02:53:40.276Z

Link: CVE-2026-34018

cve-icon Vulnrichment

Updated: 2026-04-17T12:20:08.007Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T06:16:29.733

Modified: 2026-04-17T15:08:25.183

Link: CVE-2026-34018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T07:00:08Z

Weaknesses