JVN#78422311
Multiple vulnerabilities in CubeCart

Overview

CubeCart provided by CubeCart Limited contains multiple vulnerabilities.

Products Affected

• CubeCart versions prior to 6.6.0

Description

CubeCart provided by CubeCart Limited contains multiple vulnerabilities listed below.

• OS command injection (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
  • CVE-2026-21719
• SQL injection (CWE-89)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score 6.3
  • CVE-2026-34018
• Path traversal (CWE-22)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N Base Score 2.7
  • CVE-2026-35496

Impact

• A user with an administrative privilege may execute an arbitrary OS command (CVE-2026-21719)
• An attacker may execute an arbitrary SQL statement on the product (CVE-2026-34018)
• A user with an administrative privilege may access higher-level directories that should not be accessible (CVE-2026-35496)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerabilities in the following version:

• CubeCart 6.6.0