CVE-2026-3320 MEDIUM

CVE-2026-3320: Multiple vulnerabilities in Cradle e-commerce

Vendor E-Commerce

Product Cradle

Weakness CWE-79 · XSS

Published May 11, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitation of this vulnerability would allow an attacker to execute arbitrary JavaScript code.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3320 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2020-37238 CMS Made Simple 2.2.15 Stored XSS via SVG File Upload CVE-2024-34797 WordPress Simple Popup Manager plugin <= 1.3.5 - Cross Site Scripting (XSS) vulnerability CVE-2025-58874 WordPress StoryMap Plugin <= 2.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-14151 SlimStat Analytics <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting CVE-2025-36135 IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Cross-Site Scripting