Vulnerability Description
CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/cubecart/v6/commit/b9d03e20b9d0f443f8ea55fd834e348438e2cc0c
- https://github.com/cubecart/v6/security/advisories/GHSA-gvcp-wpvp-c6f7
- https://github.com/cubecart/v6/security/advisories/GHSA-gvcp-wpvp-c6f7
FAQ
What is CVE-2026-44376?
CVE-2026-44376 is a vulnerability with a CVSS score of 6.1 (MEDIUM). CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.ph...
How severe is CVE-2026-44376?
CVE-2026-44376 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-44376?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.