VYPR

Vendor CVEs

Cubecart

All CVEs

59 total · sorted by risk
  • CVE-2013-1465CriFeb 8, 2013
    risk 0.67cvss 9.8epss 0.07

    The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

  • CVE-2026-34018CriApr 17, 2026
    risk 0.57cvss 9.8epss 0.00

    An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.

  • CVE-2026-45714CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates…

  • CVE-2026-45053CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.01

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP…

  • CVE-2026-44377CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.01

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly…

  • CVE-2026-45055HigMay 13, 2026
    risk 0.46cvss 8.1epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset…

  • CVE-2017-2098MedApr 28, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

  • CVE-2017-2090MedApr 28, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

  • CVE-2026-45708HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess…

  • CVE-2026-39358HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x.…

  • CVE-2026-21719HigApr 17, 2026
    risk 0.40cvss 7.2epss 0.01

    An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.

  • CVE-2026-44376MedMay 13, 2026
    risk 0.36cvss 6.1epss 0.01

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns…

  • CVE-2017-2117MedApr 28, 2017
    risk 0.32cvss 4.9epss 0.02

    Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.

  • CVE-2026-45054MedMay 13, 2026
    risk 0.25cvss 4.9epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the…

  • CVE-2026-39428MedMay 13, 2026
    risk 0.24cvss 4.8epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of…

  • CVE-2026-35496LowApr 17, 2026
    risk 0.11cvss 2.7epss 0.00

    A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.

  • CVE-2009-3904Nov 6, 2009
    risk 0.04cvss epss 0.09

    classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2)…

  • CVE-2006-0922Feb 28, 2006
    risk 0.04cvss epss 0.08

    CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php include, which results in an absolute path traversal vulnerability in FileUpload in connector.php (aka upload.php) that allows remote attackers to…

  • CVE-2005-0442May 2, 2005
    risk 0.04cvss epss 0.08

    Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter.

  • CVE-2014-2341Apr 22, 2014
    risk 0.03cvss epss 0.06

    Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.

  • CVE-2012-0865Feb 21, 2012
    risk 0.03cvss epss 0.03

    Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php.

  • CVE-2010-1931Jun 10, 2010
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.

  • CVE-2009-4060Nov 24, 2009
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter.

  • CVE-2006-5108Oct 3, 2006
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web script or HTML via the order_id parameter in (1) admin/print_order.php and (2) view_order.php; the (3) site_url and (4) la_search_home parameters and…

  • CVE-2006-5107Oct 3, 2006
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter in admin/forgot_pass.php, (2) the order_id parameter in view_order.php, (3) the view_doc parameter in view_doc.php, and (4)…

  • CVE-2006-4525Sep 1, 2006
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the links array.

  • CVE-2006-4267Aug 21, 2006
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) oid parameter in modules/gateway/Protx/confirmed.php and the (2) x_invoice_num parameter in modules/gateway/Authorize/confirmed.php.

  • CVE-2006-0064Jan 3, 2006
    risk 0.03cvss epss 0.02

    PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter.

  • CVE-2005-3152Oct 5, 2005
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. Note: vectors (1) and…

  • CVE-2005-0606May 2, 2005
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname,…

  • CVE-2005-0443May 2, 2005
    risk 0.03cvss epss 0.05

    index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message.

  • CVE-2005-1033May 2, 2005
    risk 0.03cvss epss 0.03

    CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) product parameter to…

  • CVE-2004-1580Dec 31, 2004
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

  • CVE-2024-34832Jun 6, 2024
    risk 0.01cvss epss 0.05

    Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters.

  • CVE-2025-59413Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to…

  • CVE-2025-59412Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the…

  • CVE-2025-59411Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML.…

  • CVE-2025-59335Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account,…

  • CVE-2024-33438Apr 29, 2024
    risk 0.00cvss epss 0.01

    File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.

  • CVE-2023-47675Nov 17, 2023
    risk 0.00cvss epss 0.01

    CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.

  • CVE-2023-47283Nov 17, 2023
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system.

  • CVE-2023-42428Nov 17, 2023
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system.

  • CVE-2023-38130Nov 17, 2023
    risk 0.00cvss epss 0.00

    Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system.

  • CVE-2021-33394May 27, 2021
    risk 0.00cvss epss 0.01

    Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid,…

  • CVE-2018-20716Jan 15, 2019
    risk 0.00cvss epss 0.01

    CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.

  • CVE-2018-20703Jan 13, 2019
    risk 0.00cvss epss 0.01

    CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.

  • CVE-2015-6928Sep 28, 2015
    risk 0.00cvss epss 0.02

    classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate…

  • CVE-2010-4903Oct 8, 2011
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter.

  • CVE-2011-3724Sep 23, 2011
    risk 0.00cvss epss 0.01

    CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files.

  • CVE-2008-1550Mar 31, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.

Page 1 of 2