What is the CVSS score of EUVD-2026-30156?

EUVD-2026-30156 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of CubeCart are affected by EUVD-2026-30156?

CubeCart v6.x deployments contain an authenticated SQL injection vulnerability (CVE-2026-39358, CVSS 7.2) allowing privileged administrators to execute arbitrary database queries.. A patch is available.

How to fix or mitigate EUVD-2026-30156?

Within 24 hours: review administrative access logs in CubeCart for suspicious activity or unauthorized query patterns. Within 7 days: upgrade all CubeCart v6.x instances to version 6.6.0 or later. Within 30 days: validate data integrity across Products and Logs tables to identify any unauthorized modifications.

CubeCart EUVD-2026-30156

| CVE-2026-39358 HIGH

SQL Injection (CWE-89)

2026-05-13 GitHub_M

SQLi V6

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 08:41 vuln.today

Patch available

May 13, 2026 - 22:03 EUVD

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This vulnerability is fixed in 6.6.0.

AnalysisAI

Authenticated SQL injection in CubeCart v6.x prior to 6.6.0 allows administrative users to execute arbitrary SQL commands through unsanitized sorting parameters on Products and Logs endpoints. Per SSVC, a proof-of-concept exists but the vulnerability is not in CISA KEV, and EPSS scoring (0.03%) reflects very low predicted exploitation activity due to the high-privilege prerequisite.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain CubeCart admin credentials

Delivery

Authenticate to admin panel

Exploit

Send crafted sort parameter to Products/Logs endpoint

Execution

Trigger time-based blind SQL injection

Persist

Exfiltrate database contents bit-by-bit

Impact

Harvest customer PII and credentials

Access

Obtain CubeCart admin credentials

Delivery

Authenticate to admin panel

Exploit

Send crafted sort parameter to Products/Logs endpoint

Execution

Trigger time-based blind SQL injection

Persist

Exfiltrate database contents bit-by-bit

Impact

Harvest customer PII and credentials

Vulnerability AssessmentAI

Exploitation	Exploitation requires an authenticated session with high-privileged (administrator-level) access to the CubeCart admin panel, as confirmed by CVSS PR:H, since the vulnerable sort[price], sort_activity, sort_admin, and sort_customer parameters are reached only through the Products and Logs administrative endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk is moderate but heavily gated by the privilege requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained CubeCart administrative credentials - through phishing, credential reuse from a third-party breach, or a malicious staff account - logs into the admin panel and issues crafted requests to the Products or Logs endpoint with a time-based blind SQLi payload in the sort_admin or sort[price] parameter. By measuring response delays, they bit-by-bit extract the contents of the database, including the customers table (PII, hashed passwords) and the orders table (transaction data). …
Remediation	Vendor-released patch: upgrade CubeCart to version 6.6.0 or later, as documented in GHSA-8gj6-9fwc-h4gh (https://github.com/cubecart/v6/security/advisories/GHSA-8gj6-9fwc-h4gh). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: review administrative access logs in CubeCart for suspicious activity or unauthorized query patterns. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-30156 vulnerability details – vuln.today

Back

CubeCart EUVD-2026-30156

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code