免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-39358CVSS 7.2

CVE-2026-39358: SQL Injection in CubeCart Ecommerce

平台

php

组件

cubecart

修复版本

6.6.0

在NVD查看
保存
正在翻译为您的语言…

CVE-2026-39358 describes an authenticated Time-Based Blind SQL Injection vulnerability discovered in CubeCart, an ecommerce software solution. This flaw allows attackers to inject malicious SQL commands through sorting parameters, potentially leading to data breaches and system compromise. The vulnerability impacts CubeCart versions 6.0.0 up to, but not including, version 6.6.0. A patch is available in version 6.6.0.

影响与攻击场景翻译中…

Successful exploitation of CVE-2026-39358 allows an attacker to bypass authentication and execute arbitrary SQL queries against the CubeCart database. This could result in the theft of sensitive customer data, including usernames, passwords, addresses, and payment information. Attackers could also modify product data, pricing, or inventory levels, disrupting business operations. The blind nature of the injection means that data extraction is slower, but the potential impact remains significant. A compromised CubeCart instance could also be leveraged for lateral movement within the network if the database user has excessive privileges.

利用背景翻译中…

CVE-2026-39358 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 7.2. No public exploits or active campaigns targeting this vulnerability have been observed as of the publication date. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

CISA SSVC

利用情况poc
可自动化no
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredHigh攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
高 — 需要管理员或特权账户。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件cubecart
供应商cubecart
最低版本6.0.0
最高版本< 6.6.0
修复版本6.6.0

弱点分类 (CWE)

CWE-89

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-39358 is to immediately upgrade CubeCart to version 6.6.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out malicious SQL injection attempts targeting the sorting parameters (sort[price], sortactivity, sortadmin, and sort_customer) of the Products and Logs endpoints. Input validation and sanitization on the server-side are also crucial. Review database user permissions to ensure they adhere to the principle of least privilege; limit the database user's access to only the necessary tables and operations. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.

修复方法翻译中…

Actualice CubeCart a la versión 6.6.0 o posterior para mitigar la vulnerabilidad de inyección SQL ciega basada en tiempo.  Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar.  Verifique la documentación oficial de CubeCart para obtener instrucciones detalladas de actualización.

常见问题翻译中…

What is CVE-2026-39358 — SQL Injection in CubeCart?

CVE-2026-39358 is a SQL Injection vulnerability affecting CubeCart versions 6.0.0 through 6.5.9. Attackers can exploit sorting parameters to execute arbitrary SQL commands, potentially compromising the database.

Am I affected by CVE-2026-39358 in CubeCart?

If you are running CubeCart version 6.0.0 through 6.5.9, you are potentially affected by this vulnerability. Upgrade to version 6.6.0 to mitigate the risk.

How do I fix CVE-2026-39358 in CubeCart?

The recommended fix is to upgrade CubeCart to version 6.6.0 or later. As a temporary workaround, implement a WAF to filter malicious SQL injection attempts.

Is CVE-2026-39358 being actively exploited?

As of the publication date, there are no reports of active exploitation campaigns targeting CVE-2026-39358.

Where can I find the official CubeCart advisory for CVE-2026-39358?

Refer to the official CubeCart security advisory for detailed information and updates regarding CVE-2026-39358: [https://www.cubecart.com/security/advisories/](https://www.cubecart.com/security/advisories/)

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...