Time-Based Blind SQL Injection in CubeCart eCommerce Software
CVE-2026-39358

7.2HIGH

Key Information:

Vendor: Cubecart
Status: V6
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-39358?

Prior to version 6.6.0, CubeCart's eCommerce platform was vulnerable to Authenticated Time-Based Blind SQL Injection due to flaws in the sorting parameters used in the Products and Logs endpoints. This security weakness enables an attacker to leverage SQL injection techniques to execute arbitrary SQL commands, potentially damaging both the confidentiality and integrity of the database. Such exploits could expose sensitive user data or manipulate existing records, thereby compromising the overall security of the application. Users are encouraged to upgrade to version 6.6.0 or later to mitigate these risks.

Affected Version(s)

v6 < 6.6.0

References

https://github.com/cubecart/v6/security/advisories/GHSA-8...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39358 Data

JSON

Cubecart

What is CVE-2026-39358?

Affected Version(s)

References

CVSS V3.1

Timeline