CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.
{
"cwe_ids": [
"CWE-862"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59413.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:cubecart:cubecart:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "6.5.11"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}