無料スキャン

このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-39358CVSS 7.2

CVE-2026-39358: SQL Injection in CubeCart Ecommerce

プラットフォーム

php

コンポーネント

cubecart

修正版

6.6.0

NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-39358 describes an authenticated Time-Based Blind SQL Injection vulnerability discovered in CubeCart, an ecommerce software solution. This flaw allows attackers to inject malicious SQL commands through sorting parameters, potentially leading to data breaches and system compromise. The vulnerability impacts CubeCart versions 6.0.0 up to, but not including, version 6.6.0. A patch is available in version 6.6.0.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2026-39358 allows an attacker to bypass authentication and execute arbitrary SQL queries against the CubeCart database. This could result in the theft of sensitive customer data, including usernames, passwords, addresses, and payment information. Attackers could also modify product data, pricing, or inventory levels, disrupting business operations. The blind nature of the injection means that data extraction is slower, but the potential impact remains significant. A compromised CubeCart instance could also be leveraged for lateral movement within the network if the database user has excessive privileges.

悪用の状況翻訳中…

CVE-2026-39358 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 7.2. No public exploits or active campaigns targeting this vulnerability have been observed as of the publication date. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CISA SSVC

悪用状況poc
自動化可能no
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredHigh攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
高 — 管理者または特権アカウントが必要。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントcubecart
ベンダーcubecart
最小バージョン6.0.0
最大バージョン< 6.6.0
修正版6.6.0

弱点分類 (CWE)

CWE-89

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-39358 is to immediately upgrade CubeCart to version 6.6.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out malicious SQL injection attempts targeting the sorting parameters (sort[price], sortactivity, sortadmin, and sort_customer) of the Products and Logs endpoints. Input validation and sanitization on the server-side are also crucial. Review database user permissions to ensure they adhere to the principle of least privilege; limit the database user's access to only the necessary tables and operations. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.

修正方法翻訳中…

Actualice CubeCart a la versión 6.6.0 o posterior para mitigar la vulnerabilidad de inyección SQL ciega basada en tiempo.  Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar.  Verifique la documentación oficial de CubeCart para obtener instrucciones detalladas de actualización.

よくある質問翻訳中…

What is CVE-2026-39358 — SQL Injection in CubeCart?

CVE-2026-39358 is a SQL Injection vulnerability affecting CubeCart versions 6.0.0 through 6.5.9. Attackers can exploit sorting parameters to execute arbitrary SQL commands, potentially compromising the database.

Am I affected by CVE-2026-39358 in CubeCart?

If you are running CubeCart version 6.0.0 through 6.5.9, you are potentially affected by this vulnerability. Upgrade to version 6.6.0 to mitigate the risk.

How do I fix CVE-2026-39358 in CubeCart?

The recommended fix is to upgrade CubeCart to version 6.6.0 or later. As a temporary workaround, implement a WAF to filter malicious SQL injection attempts.

Is CVE-2026-39358 being actively exploited?

As of the publication date, there are no reports of active exploitation campaigns targeting CVE-2026-39358.

Where can I find the official CubeCart advisory for CVE-2026-39358?

Refer to the official CubeCart security advisory for detailed information and updates regarding CVE-2026-39358: [https://www.cubecart.com/security/advisories/](https://www.cubecart.com/security/advisories/)

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...