CubeCart versions before 6.6.0 allow code injection through user input

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.1

CubeCart versions before 6.6.0 allow code injection through user input

CVE-2026-34018

Summary

If not updated, CubeCart stores can be compromised by malicious input, allowing an attacker to alter data or disrupt the site. Update to version 6.6.0 or later to fix this issue. This is a high priority update to prevent potential data tampering and site disruption.

Original title

An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.

Original description

An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.

nvd CVSS3.0 6.3

nvd CVSS4.0 5.1

Vulnerability type

CWE-89 SQL Injection

https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-y...
https://jvn.jp/en/jp/JVN78422311/

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026