CVE-2026-3318 MEDIUM

CVE-2026-3318: Multiple vulnerabilities in Cradle e-commerce

Vendor Cradle
Product e-commerce
Weakness CWE-601 · Open redirect
Published May 8, 2026
Last update May 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated