CVE-2025-66572 in Loaded Commerce
Summary
by MITRE • 12/05/2025
Loaded Commerce 6.6 contains a client-side template injection vulnerability via the search parameter that allows unauthenticated attackers to execute arbitrary code in the victim's browser context when they visit a crafted URL.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/27/2026
The vulnerability identified as CVE-2025-66572 represents a critical client-side template injection flaw within Loaded Commerce 6.6 platform. This vulnerability specifically manifests through the search parameter functionality, creating a pathway for unauthenticated attackers to execute arbitrary code on the affected server. The issue stems from insufficient input validation and sanitization mechanisms within the template processing system, allowing malicious payloads to be interpreted and executed as legitimate template code rather than simple user input.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious search query containing template injection payloads that bypass standard validation controls. The loaded commerce platform processes these search parameters through its template engine without adequate sanitization, enabling the execution of arbitrary code on the server. This type of vulnerability falls under the CWE-74 category of Improper Neutralization of Special Elements in Output Used by a Downstream Component, specifically manifesting as a template injection attack vector. The attack chain typically involves the attacker submitting a specially crafted search parameter that contains template syntax or code execution directives which are then processed by the vulnerable template engine.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the ability to fully compromise the affected server. Once exploited, attackers can gain unauthorized access to sensitive data, modify or delete content, escalate privileges, and potentially use the compromised server as a pivot point for further attacks within the network. The unauthenticated nature of this vulnerability means that no prior login credentials or privileged access are required to exploit the flaw, making it particularly dangerous for publicly accessible web applications. The vulnerability directly aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: Python and T1078.004 for Valid Accounts: Default Accounts, as attackers can leverage this vulnerability to establish persistent access and execute malicious commands.
Mitigation strategies for CVE-2025-66572 should prioritize immediate patching of the loaded commerce platform to the latest version that addresses this specific template injection vulnerability. Organizations should implement robust input validation and sanitization measures at all entry points, particularly within search functionality and template processing components. Network segmentation and web application firewalls can provide additional layers of protection by monitoring and filtering malicious search queries before they reach the vulnerable application components. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in related systems. The implementation of proper template engine configuration with strict sandboxing mechanisms and the enforcement of the principle of least privilege for application processes can significantly reduce the potential impact of such vulnerabilities. Additionally, monitoring for unusual search patterns and automated exploitation attempts should be enabled to detect and respond to potential attacks targeting this specific vulnerability.