CVE-2025-59411

low-risk
Published 2025-09-22

CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Cubecart

References (4)

Patch https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db
Patch https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047
Exploit https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4
Exploit https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal