Skip to main content

Cradle eCommerce CVE-2026-3318

| EUVDEUVD-2026-28545 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-08 INCIBE GHSA-m29c-gmm3-c3v9
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 14:30 vuln.today
CVSS changed
May 08, 2026 - 12:22 NVD
5.3 (MEDIUM)
CVE Published
May 08, 2026 - 11:24 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 11:24 nvd
MEDIUM 5.3

DescriptionCVE.org

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.

AnalysisAI

Open redirection in Cradle eCommerce login form endpoint allows attackers to redirect authenticated users to arbitrary external URLs via the unvalidated 'returnUrl' parameter, enabling phishing and credential theft attacks. The vulnerability affects the latest demo version and requires user interaction to click a malicious link, but carries low real-world exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a class of flaws where web applications accept user-supplied URLs as parameters without validation or allowlisting. In this case, the Cradle eCommerce login endpoint processes the 'returnUrl' parameter directly in redirect logic, accepting any domain. The application fails to implement URL validation patterns such as destination domain whitelisting, relative-URL enforcement, or hostname verification before performing server-side or client-side redirects. This is a common pattern in authentication flows where post-login redirect URLs improve user experience but create security risks if not carefully validated.

RemediationAI

Apply URL validation to all redirect parameters, specifically the 'returnUrl' field in the login endpoint. Implement one of the following approaches with trade-offs: (1) Allowlist whitelisting - maintain a server-side list of permitted redirect domains; most secure but requires maintenance when legitimate destinations change. (2) Relative URL enforcement - accept only relative paths (e.g., '/dashboard') and reject absolute URLs (e.g., 'https://evil.com'); simplest to implement but restricts cross-domain legitimate redirects. (3) URL parsing and hostname verification - parse the URL and verify the hostname against a known-good list before redirect; moderate complexity. Vendor has not released a specific patch version at time of analysis; contact Cradle support or await an official security update. For demo environments, disable the returnUrl feature entirely if not required for testing, or implement it only in controlled staging environments with restricted external access.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-3318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy