{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/cubecart/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":6.1,"id":"CVE-2026-44376"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CubeCart \u003c 6.7.0"],"_cs_severities":["high"],"_cs_tags":["xss","reflected-xss","web-application","cubecart"],"_cs_type":"advisory","_cs_vendors":["CubeCart"],"content_html":"\u003cp\u003eA reflected cross-site scripting (XSS) vulnerability has been identified in CubeCart versions prior to 6.7.0. This vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into the application via the search functionality. Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in a victim\u0026rsquo;s browser when they visit a compromised CubeCart page. A public exploit (EDB-52588) demonstrating this vulnerability is available on Exploit-DB as of May 29, 2026. The vulnerability is located in the search or catalogue modules where user-supplied input is not properly sanitized before being output back to the user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload in the \u003ccode\u003esearch[keywords]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL to potential victims, typically via phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious URL, sending a request to the vulnerable CubeCart server.\u003c/li\u003e\n\u003cli\u003eThe CubeCart server processes the request and includes the unsanitized \u003ccode\u003esearch[keywords]\u003c/code\u003e value in the HTML response. The payload must contain a valid product name that returns only one result.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser renders the HTML response, executing the injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code can perform various actions, such as stealing cookies, redirecting the user to a malicious website, or defacing the CubeCart website.\u003c/li\u003e\n\u003cli\u003eIf the attacker steals the victim\u0026rsquo;s session cookies, they can impersonate the victim and gain unauthorized access to their account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability could lead to various security breaches, including account takeover, defacement of the CubeCart website, and redirection of users to malicious websites. The severity is high due to the ease of exploitation (unauthenticated) and the potential for widespread impact. Given the availability of a public exploit, all CubeCart installations prior to version 6.7.0 are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CubeCart to version 6.7.0 or later to patch CVE-2026-44376.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CubeCart XSS Attempt via Search\u0026rdquo; to your SIEM to detect attempts to exploit this vulnerability via HTTP requests to the \u003ccode\u003e/search\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tags or other JavaScript-related keywords in the \u003ccode\u003esearch[keywords]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent XSS vulnerabilities in CubeCart and other web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T06:31:06Z","date_published":"2026-05-29T06:31:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cubecart-xss/","summary":"CubeCart versions before 6.7.0 are vulnerable to reflected cross-site scripting (XSS), allowing an unauthenticated attacker to inject malicious JavaScript payloads via the search functionality, which will be executed in the context of the victim's browser.","title":"CubeCart \u003c 6.7.0 Unauthenticated Reflected Cross-Site Scripting (XSS)","url":"https://feed.craftedsignal.io/briefs/2026-05-cubecart-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — CubeCart","version":"https://jsonfeed.org/version/1.1"}