Skip to main content

Cradle eCommerce EUVDEUVD-2026-29056

| CVE-2026-3319 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 INCIBE GHSA-2hwv-x45q-vm8v
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 18:00 vuln.today
CVSS changed
May 11, 2026 - 16:22 NVD
5.1 (MEDIUM)
CVE Published
May 11, 2026 - 14:26 nvd
MEDIUM 5.1
CVE Published
May 11, 2026 - 14:26 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.

AnalysisAI

Reflected XSS in Cradle eCommerce platform allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via unsanitized input reflected in the /collection/ endpoint. The vulnerability requires user interaction (clicking a malicious link) but affects the latest demo version with CVSS 5.1 (low-medium severity). No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available.

Technical ContextAI

This is a classic reflected cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The /collection/ endpoint fails to sanitize or encode user-supplied input before rendering it in HTML output, allowing attackers to inject malicious JavaScript that executes in the context of a victim's browser session. The vulnerability exploits the trust relationship between users and the legitimate Cradle application to deliver client-side attacks such as session hijacking, credential theft, or malware delivery. Affected products are identified via CPE a:e-commerce:cradle with all versions matching the wildcard pattern.

RemediationAI

Apply the vendor-released patch available from INCIBE (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce). Exact patched version number is not provided in available data - contact vendor directly or review the advisory for specific version increments. As an immediate compensating control, implement Web Application Firewall (WAF) rules to block requests containing script injection payloads in the /collection/ endpoint parameters, though this may generate false positives if legitimate user input contains angle brackets or JavaScript keywords. Additionally, deploy Content Security Policy (CSP) headers with script-src restrictions to prevent inline script execution even if XSS payload reaches the DOM - this mitigates impact but does not eliminate the root vulnerability. Input validation and output encoding (HTML entity encoding for user input in HTML context) must be implemented in the application code itself to fully resolve CWE-79.

Share

EUVD-2026-29056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy