Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.
AnalysisAI
Reflected XSS in Cradle eCommerce platform allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via unsanitized input reflected in the /collection/ endpoint. The vulnerability requires user interaction (clicking a malicious link) but affects the latest demo version with CVSS 5.1 (low-medium severity). No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available.
Technical ContextAI
This is a classic reflected cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The /collection/ endpoint fails to sanitize or encode user-supplied input before rendering it in HTML output, allowing attackers to inject malicious JavaScript that executes in the context of a victim's browser session. The vulnerability exploits the trust relationship between users and the legitimate Cradle application to deliver client-side attacks such as session hijacking, credential theft, or malware delivery. Affected products are identified via CPE a:e-commerce:cradle with all versions matching the wildcard pattern.
RemediationAI
Apply the vendor-released patch available from INCIBE (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce). Exact patched version number is not provided in available data - contact vendor directly or review the advisory for specific version increments. As an immediate compensating control, implement Web Application Firewall (WAF) rules to block requests containing script injection payloads in the /collection/ endpoint parameters, though this may generate false positives if legitimate user input contains angle brackets or JavaScript keywords. Additionally, deploy Content Security Policy (CSP) headers with script-src restrictions to prevent inline script execution even if XSS payload reaches the DOM - this mitigates impact but does not eliminate the root vulnerability. Input validation and output encoding (HTML entity encoding for user input in HTML context) must be implemented in the application code itself to fully resolve CWE-79.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29056
GHSA-2hwv-x45q-vm8v