Product
cubecart
50 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-35496
CVE-2026-34018
CVE-2026-21719
CVE-2025-59413
CVE-2025-59412
CVE-2025-59411
CVE-2025-59335
CVE-2024-34832
CVE-2024-33438
CVE-2023-47675
CVE-2023-47283
CVE-2023-42428
CVE-2023-38130
CVE-2021-33394
CVE-2018-20716
CVE-2018-20703
CVE-2017-2117
CVE-2017-2098
CVE-2017-2090
CVE-2015-6928
CVE-2014-2341
CVE-2013-1465
CVE-2012-0865
CVE-2010-4903
CVE-2011-3724
CVE-2010-1931
CVE-2009-4060
CVE-2009-3904
CVE-2008-1550
CVE-2007-2862
CVE-2007-2550
CVE-2006-5109
CVE-2006-5108
CVE-2006-5107
CVE-2006-4527
CVE-2006-4526
CVE-2006-4525
CVE-2006-4268
CVE-2006-4267
CVE-2006-0922
CVE-2006-0245
CVE-2006-0064
CVE-2005-3152
CVE-2005-1033
CVE-2005-0607
CVE-2005-0606
CVE-2005-0443
CVE-2005-0442
CVE-2004-1580
CVE-2004-1579
< 6.6.0
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to acces
< 6.6.0
An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statemen
< 6.6.0
An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege t
< 6.5.11
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint t
< 6.5.11
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where u
< 6.5.11
CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that
< 6.5.11
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following
< 6.5.5
Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file u
< 6.5.5
File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file
< 6.5.3
CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command
< 6.5.3
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privile
< 6.5.3
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privile
< 6.5.3
Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data
all versions
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A mali
< 6.1.13
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.
all versions
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
<= 6.1.4
Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary
<= 6.1.3
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary file
<= 6.1.3
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary file
all versions
classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset re
<= 5.2.8
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter
>= 5.0.0 and <= 5.2.0
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize
<= 3.0.20
Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web si
all versions
SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searc
all versions
CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the inst
all versions
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attac
<= 4.3.6
SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQ
all versions
classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows
all versions
Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web
all versions
Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow remote attackers to execute arbitrary SQL commands via an un
all versions
Multiple CRLF injection vulnerabilities in Devellion CubeCart 3.0.15 allow remote attackers to inject arbitrary HTTP headers and c
all versions
Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive information via a direct request for (1) link_navi.php or (2)
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web scr
all versions
Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1
all versions
includes/content/gateway.inc.php in CubeCart 3.0.12 and earlier, when magic_quotes_gpc is disabled, uses an insufficiently restric
<= 3.0.12
SQL injection vulnerability in includes/content/viewCat.inc.php in CubeCart 3.0.12 and earlier, when register_globals is enabled,
<= 3.0.12
Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers
all versions
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to inject arbitrary web
all versions
Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via
all versions
CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php inc
all versions
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or
all versions
PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PH
all versions
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTM
all versions
CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHP
all versions
CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters
all versions
Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allo
all versions
index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scrip
all versions
Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language
all versions
SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_i
all versions
index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id param