Unauthenticated Reflected XSS (CVE‑2026‑44376) Discovered in CubeCart < 6.7.0 E‑Commerce Platform
What Happened – A reflected cross‑site scripting flaw (CVE‑2026‑44376) was found in CubeCart versions prior to 6.7.0. The vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript via the search or catalogue modules, which is then executed in the victim’s browser.
Why It Matters for TPRM –
- Attackers can hijack sessions of customers or employees of third‑party merchants, leading to credential theft or fraudulent transactions.
- The flaw can be leveraged to deliver malware or conduct phishing campaigns against supply‑chain partners.
- Many small‑to‑mid‑size retailers rely on CubeCart, expanding the potential attack surface across multiple business relationships.
Who Is Affected – Retail/E‑Commerce sites that run CubeCart < 6.7.0 (including hosted SaaS instances and self‑hosted deployments).
Recommended Actions –
- Upgrade to CubeCart 6.7.0 or later immediately.
- Apply input‑validation patches or implement a Web Application Firewall rule that sanitizes the
search[keywords]parameter. - Conduct a review of any third‑party sites that embed CubeCart widgets and verify they are not vulnerable.
Technical Notes – The XSS is reflected; the payload must be supplied in a search query that returns exactly one product, e.g., https://target/cubecart/search?search[keywords]=SAMSUNG%20<script>alert("Test!")</script>. No authentication is required. CVE‑2026‑44376 is tracked in Exploit‑DB (EDB‑52588). Source: https://www.exploit-db.com/exploits/52588