cvedb.io
CVE-2025-59411
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2025-09-22T17:16:08.727 · Last modified 2026-06-17T09:46:07.163

Summary

CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.

Affected products

cubecart — cubecart

Does this affect you?

Add your gear to cvedb and we'll alert you only when cubecart ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.