CVE-2026-39358

Source
https://cve.org/CVERecord?id=CVE-2026-39358
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39358.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39358
Aliases
  • GHSA-8gj6-9fwc-h4gh
Published
2026-05-13T20:38:37.751Z
Modified
2026-07-08T05:51:34.936812880Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CubeCart: Time-based Blind SQL Injection
Details

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sortactivity, sortadmin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This vulnerability is fixed in 6.6.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39358.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/cubecart/v6

Affected ranges

Type
GIT
Repo
https://github.com/cubecart/v6
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.6.0"
        }
    ]
}

Affected versions

2.*
2.6.7
6.*
6.0.0
6.0.0b1
6.0.0b2
6.0.0b3
6.0.0b4
6.0.0b5
6.0.0b6
6.0.0b7
6.0.1
6.0.10
6.0.11
6.0.12
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.8
6.0.9
6.1.0
6.1.1
6.1.10
6.1.11pr
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.2.0
6.2.0-b1
6.2.0-rc1
6.2.0-rc2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.8
6.2.9
6.4.0
6.4.0-b1
6.4.0-b2
6.4.1
6.4.10
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
6.4.9
6.5.0
6.5.1
6.5.10
6.5.11
6.5.12
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.8
6.5.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39358.json"