cbcvebase.
CVE-2026-39428
published 2026-05-13

CVE-2026-39428: CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with…

PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.17%
7.0th percentile
CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
cubecartv6< 6.6.06.6.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.