CVE-2025-59411
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-59411
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59411.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-59411
- Aliases
-
- GHSA-5hg3-m3q3-v2p4
- Published
- 2025-09-22T16:14:23.843Z
- Modified
- 2025-12-02T20:15:38.399225Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- CubeCart Stored/Reflected HTML Injection Vulnerability in Contact Enquiry
- Details
-
CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59411.json", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59411.json
- https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db
- https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047
- https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4
- https://nvd.nist.gov/vuln/detail/CVE-2025-59411
Affected packages
Git / github.com/cubecart/v6
Affected ranges
- Type
- GIT
- Repo
- https://github.com/cubecart/v6
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
6.*
6.1.11pr
6.2.0-b1
v2.*
v2.6.7
v6.*
v6.0.0
v6.0.0b1
v6.0.0b2
v6.0.0b3
v6.0.0b4
v6.0.0b5
v6.0.0b6
v6.0.0b7
v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.8
v6.0.9
v6.1.0
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2.0
v6.2.0-b1
v6.2.0-rc1
v6.2.0-rc2
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.8
v6.2.9
v6.4.0
v6.4.0-b1
v6.4.0-b2
v6.4.1
v6.4.10
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v6.5.0
v6.5.1
v6.5.10
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.5.6
v6.5.8
v6.5.9