CVE-2026-39358 - Vulnerability Details

- CubeCart: Time-based Blind SQL Injection

Description

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This vulnerability is fixed in 6.6.0.

Published: 2026-05-13

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a time‑based blind SQL injection that can be triggered via sorting parameters on the Products and Logs endpoints. By manipulating these input fields, an authenticated attacker can execute arbitrary SQL commands against the database. This allows the attacker to read, modify, or delete any data stored in the database, thereby compromising both confidentiality and integrity. The weakness is a classic input validation flaw (CWE‑89).

Affected Systems

CubeCart version 6.x before 6.6.0. The affected components are the Products and Logs endpoints in v6.x, specifically the sorting parameters such as sort[price], sort_activity, sort_admin, and sort_customer. All installations of CubeCart 6.0 through 6.5.9 without the patch are vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity of the flaw, yet no EPSS score is available, so the current exploitation probability cannot be precisely quantified. The vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. However, because the flaw requires authentication, the attack is limited to users who have valid credentials or session tokens, but an attacker could potentially compromise privileged accounts. Likely attack vectors involve manipulating the sorting parameters in authenticated requests and observing timing side‑channels to confirm successful SQL execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cubecart

affected

Version	Status	Constraints
`< 6.6.0`	affected	—

No data.

Vendor Product Confidence Versions

Cubecart

100%

Version	Status	Scheme	Platform
`[0,6.6.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CubeCart to version 6.6.0 or later, which contains the fix for the vulnerable sorting parameters.
If an immediate upgrade is not possible, default the vulnerable sorting parameters or block access to the affected endpoints using a web‑application firewall or similar controls to prevent attackers from sending malicious input.
Regardless of the patch status, tighten database user privileges by ensuring the application’s database account has only the minimal permissions required for normal operation; this limits the impact if an attacker does succeed in bypassing input validation.

Generated by OpenCVE AI on May 13, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cubecart/v6/security/advisories/GHSA-8gj6-9fwc-h4gh

History

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cubecart Cubecart cubecart
Vendors & Products		Cubecart Cubecart cubecart

Thu, 14 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 13 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This vulnerability is fixed in 6.6.0.
Title		CubeCart: Time-based Blind SQL Injection
Weaknesses		CWE-89
References		https://github.com/cubecart/v6/security/advisories/GHSA-8gj6-9fwc-h4gh
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Cubecart Cubecart

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T20:38:37.751Z

Updated: 2026-05-14T12:54:15.141Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39358

Vulnrichment

Updated: 2026-05-14T12:54:05.315Z

NVD

Status : Deferred

Published: 2026-05-13T21:16:46.657

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-39358

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:33:26Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object