CVE-2025-59411 MEDIUM

CVE-2025-59411: CubeCart Stored/Reflected HTML Injection Vulnerability in Contact Enquiry

Vendor Cubecart
Product v6
Weakness CWE-79 · XSS
Published September 22, 2025
Last update September 22, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.

Key dates

02Disclosure timeline

September 22, 2025 CVE published
September 22, 2025 Record updated