HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Unauthenticated Reflected XSS (CVE‑2026‑44376) Discovered in CubeCart < 6.7.0 E‑Commerce Platform

A reflected cross‑site scripting vulnerability (CVE‑2026‑44376) affecting CubeCart versions prior to 6.7.0 allows attackers to execute arbitrary JavaScript in victims’ browsers. Retail and e‑commerce sites using the platform are at risk of credential theft and malicious redirects, making it a priority for third‑party risk managers.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
exploit-db.com

Unauthenticated Reflected XSS (CVE‑2026‑44376) Discovered in CubeCart < 6.7.0 E‑Commerce Platform

What Happened – A reflected cross‑site scripting flaw (CVE‑2026‑44376) was found in CubeCart versions prior to 6.7.0. The vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript via the search or catalogue modules, which is then executed in the victim’s browser.

Why It Matters for TPRM

  • Attackers can hijack sessions of customers or employees of third‑party merchants, leading to credential theft or fraudulent transactions.
  • The flaw can be leveraged to deliver malware or conduct phishing campaigns against supply‑chain partners.
  • Many small‑to‑mid‑size retailers rely on CubeCart, expanding the potential attack surface across multiple business relationships.

Who Is Affected – Retail/E‑Commerce sites that run CubeCart < 6.7.0 (including hosted SaaS instances and self‑hosted deployments).

Recommended Actions

  • Upgrade to CubeCart 6.7.0 or later immediately.
  • Apply input‑validation patches or implement a Web Application Firewall rule that sanitizes the search[keywords] parameter.
  • Conduct a review of any third‑party sites that embed CubeCart widgets and verify they are not vulnerable.

Technical Notes – The XSS is reflected; the payload must be supplied in a search query that returns exactly one product, e.g., https://target/cubecart/search?search[keywords]=SAMSUNG%20<script>alert("Test!")</script>. No authentication is required. CVE‑2026‑44376 is tracked in Exploit‑DB (EDB‑52588). Source: https://www.exploit-db.com/exploits/52588

📰 Original Source
https://www.exploit-db.com/exploits/52588

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →