Description
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.
Published: 2026-04-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized directory access
Action: Patch
AI Analysis

Impact

A path traversal weakness (CWE‑22) allows an attacker with administrative privileges to navigate beyond intended directories in CubeCart installations prior to version 6.6.0, potentially viewing or modifying files that should remain hidden. This flaw does not enable arbitrary code execution, but it gives privileged users access to sensitive configuration files or data. The vulnerability is limited to users who already possess admin credentials; attackers must therefore either compromise an account or obtain administrative access through other means.

Affected Systems

CubeCart Limited’s CubeCart software, versions earlier than 6.6.0, are affected. Any installation running a pre‑6.6.0 release inherits the path traversal issue.

Risk and Exploitability

The flaw carries a CVSS score of 5.1, signifying a moderate severity level. Because the exploit requires administrative access, the likelihood of exploitation is constrained by the ability to compromise admin credentials, and no EPSS data is available or the vulnerability is not listed in KEV. Attackers who gain admin rights can read or overwrite files outside the intended directory tree, potentially exposing confidential data or tampering with configuration. Overall, the risk is moderate but should be mitigated promptly to prevent privileged misuse.

Generated by OpenCVE AI on April 17, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeCart to version 6.6.0 or later
  • Re‑configure file permissions to limit administrative access strictly to required directories
  • Implement input validation to reject paths containing '../' sequences and enforce directory boundaries

Generated by OpenCVE AI on April 17, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Fri, 17 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
Title Administrative Path Traversal in CubeCart prior to 6.6.0

Fri, 17 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 2.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-17T12:18:33.735Z

Reserved: 2026-04-13T02:53:41.252Z

Link: CVE-2026-35496

cve-icon Vulnrichment

Updated: 2026-04-17T12:18:27.892Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T06:16:29.867

Modified: 2026-04-17T15:08:25.183

Link: CVE-2026-35496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:13Z

Weaknesses