CVE-2026-44376 in Cubecart
Summary
by MITRE • 05/14/2026
CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability under discussion represents a critical security flaw in CubeCart ecommerce software affecting versions prior to 6.7.0, specifically within the search functionality of the v6.x series. This issue manifests as an unauthenticated reflected cross-site scripting vulnerability that exploits a logic flaw in the classes/catalogue.class.php file, creating a dangerous attack vector that can be leveraged by malicious actors without requiring any authentication credentials.
The technical implementation of this vulnerability stems from improper input sanitization within the search processing logic where user-supplied parameters are reflected back to the browser without adequate sanitization measures. The flaw is particularly insidious because it only activates under specific conditions - when a search query returns exactly one product result - making it more difficult to detect and exploit systematically. This conditional behavior creates a scenario where the vulnerability exists in a narrow but critical execution path that bypasses existing security filters and validation mechanisms that would normally protect against such attacks.
The operational impact of this vulnerability extends far beyond simple script execution, as it provides attackers with the capability to hijack user sessions, deface websites, or conduct phishing attacks against unsuspecting customers. When a victim visits a maliciously crafted search URL, the reflected javascript code executes within their browser context, potentially stealing session cookies, redirecting them to fraudulent sites, or modifying the website content to display malicious advertisements or fake login pages. This vulnerability directly violates security principles by allowing arbitrary code execution in the context of legitimate user sessions.
From a cybersecurity perspective, this vulnerability maps directly to CWE-79 - Cross-site Scripting and aligns with ATT&CK technique T1566.001 - Phishing, as it enables attackers to craft malicious search queries that can be delivered to victims through various attack vectors including email, social media, or compromised websites. The remediation process requires updating to CubeCart version 6.7.0 or applying the appropriate patch that implements proper input sanitization and output encoding for all search results, regardless of the number of matches returned. Security practitioners should also implement additional monitoring for unusual search patterns and consider implementing web application firewalls to detect and block suspicious search queries that may indicate exploitation attempts.
The vulnerability demonstrates the importance of comprehensive input validation and the dangers of conditional security checks that may inadvertently create bypass opportunities. Organizations using CubeCart should conduct immediate security assessments to verify their systems are updated and implement proper security monitoring to detect potential exploitation attempts. The fix in version 6.7.0 addresses the core logic flaw by ensuring all user input is properly sanitized before being reflected back to the browser, regardless of search result counts, thereby eliminating the conditional vulnerability that made this attack possible.