Platform
php
Component
cubecart
Fixed in
6.6.1
CVE-2026-35496 describes a Path Traversal vulnerability discovered in CubeCart, an e-commerce platform. This flaw allows authenticated administrative users to potentially access files and directories outside of their intended scope. The vulnerability affects versions 1.0.0 up to and excluding 6.6.0. A patch is available in version 6.6.0.
Successful exploitation of this Path Traversal vulnerability could allow an attacker with administrative privileges to read sensitive files located outside of the web root. This could include configuration files containing database credentials, source code, or other confidential information. While the CVSS score is LOW, the potential for data exposure and compromise of the e-commerce platform warrants immediate attention. An attacker could potentially gain a deeper understanding of the application's architecture and identify further vulnerabilities. The blast radius is limited to the server hosting the CubeCart instance and any data accessible through the path traversal.
CVE-2026-35496 was published on April 17, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of the publication date. The EPSS (Exploit Prediction Score System) score is likely to be low, reflecting the lack of public exploits and the requirement for administrative privileges.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35496 is to upgrade CubeCart to version 6.6.0 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter file access controls on the server hosting CubeCart. This could involve restricting the permissions of the web server user to only the necessary directories. Review and harden CubeCart's configuration, ensuring that file upload directories and other sensitive areas are properly protected. Implement a Web Application Firewall (WAF) with rules to detect and block path traversal attempts, specifically looking for patterns like '../' in request parameters. After upgrading, verify the fix by attempting to access files outside the intended web root using administrative credentials; access should be denied.
Actualice CubeCart a la versión 6.6.0 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización aborda la falla de seguridad al validar correctamente las entradas del usuario, evitando el acceso no autorizado a directorios sensibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35496 is a Path Traversal vulnerability affecting CubeCart versions 1.0.0 through 6.5.9. It allows authenticated administrative users to potentially access unauthorized directories on the server.
You are affected if you are running CubeCart versions 1.0.0 through 6.5.9. Upgrade to version 6.6.0 or later to mitigate the vulnerability.
Upgrade CubeCart to version 6.6.0 or later. If immediate upgrade is not possible, implement stricter file access controls and consider a WAF.
As of the publication date, there is no indication of active exploitation campaigns targeting CVE-2026-35496.
Refer to the CubeCart security advisories page for the latest information: [https://www.cubecart.com/security/](https://www.cubecart.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.