CVE-2026-44376

MEDIUM

CubeCart: Reflected XSS in Store Search Bar

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-44376. PoCs published by Th3-SAx11.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in CubeCart < 6.7.0 by injecting a JavaScript payload into the search functionality. The payload executes when the search query matches exactly one product in the database.

Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0.

Exploits (1)

exploitdb WORKING POC
by Th3-SAx11 · textwebappsmultiple
https://www.exploit-db.com/exploits/52588

This exploit demonstrates a reflected XSS vulnerability in CubeCart < 6.7.0 by injecting a JavaScript payload into the search functionality. The payload executes when the search query matches exactly one product in the database.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CubeCart < 6.7.0
No auth needed
Prerequisites: A product name that matches exactly one result in the store's database
devstral-2 · analyzed May 30, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0015
EPSS Percentile 35.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
cubecart/v6 < 6.7.0
Published May 13, 2026
Tracked Since May 14, 2026