CVE-2026-44376

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0.

Vulnerability Details

Published Date

May 13, 2026

Last Modified

May 15, 2026

CWE ID

CWE-79

Source

NVD

Vendor

cubecart

Product

External References

https://github.com/cubecart/v6/commit/b9d03e20b9d0f443f8ea55fd834e348438e2cc0c
https://github.com/cubecart/v6/security/advisories/GHSA-gvcp-wpvp-c6f7

CVE-2026-44376

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment