Reflected XSS Vulnerability in Cradle eCommerce Platform
CVE-2026-3320

5.1MEDIUM

Key Information:

Vendor: E-commerce
Status: Cradle
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-3320?

A reflected Cross-Site Scripting (XSS) vulnerability exists in the latest demo version of the Cradle eCommerce platform, where user input is insecurely reflected in the HTML output at the /product/ endpoint. An attacker can exploit this flaw to execute arbitrary JavaScript code in the browser of users interacting with the affected product, potentially leading to unauthorized actions, data leakage, or further attacks on the platform's users.

Affected Version(s)

Cradle latest demo version

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Gonzalo Aguilar García (6h4ack)

CVE-2026-3320 Data

JSON