{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34018", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-13T02:53:40.276Z", "datePublished": "2026-04-17T04:33:35.768Z", "dateUpdated": "2026-04-17T12:20:12.217Z"}, "containers": {"cna": {"affected": [{"vendor": "CubeCart Limited", "product": "CubeCart", "versions": [{"version": "prior to 6.6.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an SQL command ('SQL Injection')", "lang": "en-US", "cweId": "CWE-89", "type": "CWE"}]}], "references": [{"url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"url": "https://jvn.jp/en/jp/JVN78422311/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-17T04:33:35.768Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T12:20:02.943694Z", "id": "CVE-2026-34018", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:20:12.217Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34018", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T12:20:02.943694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:20:08.007Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "CubeCart Limited", "product": "CubeCart", "versions": [{"status": "affected", "version": "prior to 6.6.0"}]}], "references": [{"url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"url": "https://jvn.jp/en/jp/JVN78422311/"}], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-89", "description": "Improper neutralization of special elements used in an SQL command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-17T04:33:35.768Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34018", "state": "PUBLISHED", "dateUpdated": "2026-04-17T12:20:12.217Z", "dateReserved": "2026-04-13T02:53:40.276Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-17T04:33:35.768Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product."}], "id": "CVE-2026-34018", "lastModified": "2026-04-17T15:08:25.183", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-17T06:16:29.733", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN78422311/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.6.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CubeCart", "source": "cna", "vendor": "CubeCart Limited"}, "product": "cubecart", "vendor": "cubecart"}], "analysis": {"en": {"generated_at": "2026-04-17T06:51:00.226134+00:00", "value": {"mitigation_remediation": ["Ensure backups of the website and database are taken before making changes.", "Update CubeCart to version 6.6.0 or newer to eliminate the injection flaw.", "If an immediate upgrade is not possible, deploy input validation or web application firewall rules to block suspicious SQL payloads."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "CubeCart Limited\u2019s CubeCart platform prior to version 6.6.0 is vulnerable. All releases older than 6.6.0 may be affected, with no specific patch noted for individual minor revisions.", "description_and_impact": "A classic SQL injection flaw allows an attacker to execute arbitrary SQL commands against the database. If exploited, an attacker could read sensitive information, modify or delete data, and potentially gain administrative access through the vulnerable e\u2011commerce platform.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate risk level. Exploitation likelihood has not been quantified. The vulnerability is not listed in the known exploited vulnerabilities catalog. Attack vectors are likely remote, using crafted HTTP requests targeting user input fields, with no special prerequisites beyond access to the application."}}}}, "created": "2026-04-17T06:30:11.530527+00:00", "updated": "2026-04-17T07:00:08.558674+00:00", "vendors": ["cubecart", "cubecart$PRODUCT$cubecart"]}