CVE-2026-3320

Vulnerability

CVE-2026-3320 is a reflected cross-site scripting (XSS) vulnerability in the latest demo version of the Cradle eCommerce platform. The flaw exists in the /product/ endpoint, where user-controlled input is insecurely reflected in the HTML output without proper sanitization or encoding [1]. This is a classic instance of CWE-79 (Improper Neutralization of Input During Web Page Generation).

Exploitation

An attacker can craft a malicious URL containing JavaScript payloads in the vulnerable parameter and trick a user into clicking it. The attack requires user interaction (CVSS v4.0 base score 5.1) requires user interaction (UI:A) but no authentication (PR:N) and can be launched over the network (AV:N) [1]. The reflected payload executes in the victim's browser session within the context of the vulnerable domain.

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information displayed on the page, or further attacks against the user's session. The vulnerability is limited to the demo version of Cradle eCommerce and does not affect Cradle CMS [1].

Mitigation

The Cradle team has fixed this vulnerability in the latest version of Cradle eCommerce. Users running the demo version should update to the patched release. No workaround is provided, but the advisory recommends upgrading immediately [1].