CVE-2026-39358

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.6.0

Description Authenticated Time-Based Blind SQL Injection—a technique that allows an attacker to infer data by observing the time the server takes to respond to specific queries—exists in the Products and Logs endpoints. The issue resides in the sorting parameters sort[price], sort activity, sort admin, and sort customer, enabling an attacker to execute arbitrary SQL commands and compromise the confidentiality and integrity of the database.

Recommendations Update to version 6.6.0. As a temporary workaround, restrict access to the sorting parameters sort[price], sort activity, sort admin, and sort customer in the Products and Logs endpoints.