CVE-2026-3319

Vulnerability

Overview CVE-2026-3319 is a Reflected Cross-Site Scripting (XSS) vulnerability in the latest demo version of the Cradle eCommerce platform. The flaw resides in the /collection/ endpoint, where user-controlled input is reflected in the HTML output without proper sanitization or encoding. This is categorized under CWE-79 and is part of a disclosure coordinated by INCIBE [1].

Exploitation

Prerequisites An attacker can exploit this vulnerability by crafting a malicious URL that includes a payload in the parameter reflected at /collection/. The attack requires user interaction—the victim must click on a crafted link. No authentication is needed, and the attack is network-based (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A). The CVSS v4.0 base score is 5.1, indicating medium severity [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the context of the victim's browser session. This could lead to theft of session cookies, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of user data [1].

Mitigation

Status The Cradle team has fixed this vulnerability in the latest version of Cradle eCommerce. The vendor notes that this issue does not affect the Cradle CMS product, as it lacks the affected features (products, collections, customer accounts) [1]. Users should update to the patched version immediately.