Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
129076.5%CRITICAL

Related CVEs

29
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2026-35496A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.MEDIUM5.123.8%Apr 17, 2026
CVE-2026-34018An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.MEDIUM5.17.6%Apr 17, 2026
CVE-2026-21719An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.HIGH8.664.4%Apr 17, 2026
CVE-2025-59413CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.MEDIUM6.529.2%Sep 22, 2025
CVE-2025-59412CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the product page for all visitors. This could be used to redirect users to malicious websites or to display unwanted content. This issue has been patched in version 6.5.11.MEDIUM5.417.3%Sep 22, 2025
CVE-2025-59411CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.MEDIUM5.419.6%Sep 22, 2025
CVE-2025-59335CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retains full access to the account until their session naturally expires. This means the account remains insecure even after the password has been changed. This issue has been patched in version 6.5.11.HIGH7.18.9%Sep 22, 2025
CVE-2024-34832Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters.CRITICAL9.891.2%Jun 6, 2024
CVE-2024-33438File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.HIGH8.062.0%Apr 29, 2024
CVE-2023-47675CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.HIGH7.257.8%Nov 17, 2023
CVE-2023-47283Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system.MEDIUM4.963.8%Nov 17, 2023
CVE-2023-42428Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system.MEDIUM6.566.5%Nov 17, 2023
CVE-2023-38130Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system.HIGH8.127.1%Nov 17, 2023
CVE-2021-33394Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.MEDIUM5.4May 27, 2021
CVE-2018-20716CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.NONE63.7%Jan 15, 2019
CVE-2018-20703CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.NONE45.9%Jan 13, 2019
CVE-2017-2117Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.NONE79.7%Apr 28, 2017
CVE-2017-2098Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.NONE82.5%Apr 28, 2017
CVE-2017-2090Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.NONE82.5%Apr 28, 2017
CVE-2015-6928classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.NONE80.2%Sep 28, 2015