無料スキャン

このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-39428CVSS 4.8

CVE-2026-39428: XSS in CubeCart 6.0.0 - 6.6.0

プラットフォーム

php

コンポーネント

cubecart

修正版

6.6.0

NVDで見る
保存
あなたの言語に翻訳中…

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in CubeCart versions 6.0.0 through 6.5.9. This vulnerability allows an attacker with administrative privileges to inject malicious JavaScript payloads into various product fields. These payloads are then stored in the database and executed when users, including other administrators, view the affected product pages, potentially leading to session hijacking or unauthorized actions. The vulnerability is resolved in CubeCart version 6.6.0.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2026-39428 allows an attacker to inject arbitrary JavaScript code into CubeCart product pages. This code executes in the context of the user viewing the page, enabling the attacker to steal session cookies, redirect users to malicious websites, or perform actions on behalf of the user, including modifying product information or accessing sensitive data. The impact is particularly severe for administrators, as an attacker could gain full control over the CubeCart installation. This vulnerability shares similarities with other XSS vulnerabilities where user input is not properly sanitized before being stored and displayed, potentially leading to account takeover and data breaches.

悪用の状況翻訳中…

CVE-2026-39428 was published on May 13, 2026. Its severity is rated as Medium. No public proof-of-concept (POC) code has been publicly released at the time of writing. There are no indications of active exploitation campaigns targeting this vulnerability. This CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CISA SSVC

悪用状況poc
自動化可能no
技術的影響partial

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N4.8MEDIUMAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredHigh攻撃に必要な認証レベルUser InteractionRequired被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityLow機密データ漏洩のリスクIntegrityLow不正データ改ざんのリスクAvailabilityNoneサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
高 — 管理者または特権アカウントが必要。
User Interaction
必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
低 — 一部データへの部分的アクセス。
Integrity
低 — 限定的な範囲でデータ変更可能。
Availability
なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントcubecart
ベンダーcubecart
最小バージョン6.0.0
最大バージョン< 6.6.0
修正版6.6.0

弱点分類 (CWE)

CWE-79

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-39428 is to upgrade CubeCart to version 6.6.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing stricter input validation and output encoding on all user-supplied data within CubeCart. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting product fields can provide an additional layer of defense. Regularly review and audit CubeCart configurations to ensure best practices are followed.

修正方法翻訳中…

Actualice CubeCart a la versión 6.6.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la forma en que se almacenan y procesan los datos de los productos, evitando la inyección de código malicioso. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar.

よくある質問翻訳中…

What is CVE-2026-39428 — XSS in CubeCart?

CVE-2026-39428 is a Stored Cross-Site Scripting (XSS) vulnerability affecting CubeCart versions 6.0.0 through 6.5.9. It allows attackers with admin privileges to inject malicious JavaScript into product pages.

Am I affected by CVE-2026-39428 in CubeCart?

You are affected if you are running CubeCart version 6.0.0 through 6.5.9 and have not yet upgraded to version 6.6.0 or later. Check your CubeCart version to determine your exposure.

How do I fix CVE-2026-39428 in CubeCart?

The recommended fix is to upgrade CubeCart to version 6.6.0 or later. This version includes a patch that addresses the XSS vulnerability.

Is CVE-2026-39428 being actively exploited?

There are currently no indications of active exploitation campaigns targeting CVE-2026-39428, but it's crucial to apply the patch to prevent potential future attacks.

Where can I find the official CubeCart advisory for CVE-2026-39428?

Refer to the official CubeCart security advisory for detailed information and updates regarding CVE-2026-39428: [https://www.cubecart.com/security/](https://www.cubecart.com/security/)

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...