{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35496", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-13T02:53:41.252Z", "datePublished": "2026-04-17T04:33:49.813Z", "dateUpdated": "2026-04-17T12:18:33.735Z"}, "containers": {"cna": {"affected": [{"vendor": "CubeCart Limited", "product": "CubeCart", "versions": [{"version": "prior to 6.6.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible."}], "problemTypes": [{"descriptions": [{"description": "Improper limitation of a pathname to a restricted directory ('Path Traversal')", "lang": "en-US", "cweId": "CWE-22", "type": "CWE"}]}], "references": [{"url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"url": "https://jvn.jp/en/jp/JVN78422311/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "LOW", "baseScore": 2.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-17T04:33:49.813Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T12:18:24.559535Z", "id": "CVE-2026-35496", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:18:33.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T12:18:24.559535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:18:27.892Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "CubeCart Limited", "product": "CubeCart", "versions": [{"status": "affected", "version": "prior to 6.6.0"}]}], "references": [{"url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"url": "https://jvn.jp/en/jp/JVN78422311/"}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-22", "description": "Improper limitation of a pathname to a restricted directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-17T04:33:49.813Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35496", "state": "PUBLISHED", "dateUpdated": "2026-04-17T12:18:33.735Z", "dateReserved": "2026-04-13T02:53:41.252Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-17T04:33:49.813Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cubecart:cubecart:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3DF3827-0521-4019-B96F-736244280F51", "versionEndExcluding": "6.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible."}], "id": "CVE-2026-35496", "lastModified": "2026-04-20T14:43:14.540", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-17T06:16:29.867", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Release Notes"], "url": "https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN78422311/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.6.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CubeCart", "source": "cna", "vendor": "CubeCart Limited"}, "product": "cubecart", "vendor": "cubecart"}], "analysis": {"en": {"generated_at": "2026-04-17T06:20:42.191607+00:00", "value": {"mitigation_remediation": ["Upgrade CubeCart to version 6.6.0 or later", "Re\u2011configure file permissions to limit administrative access strictly to required directories", "Implement input validation to reject paths containing '../' sequences and enforce directory boundaries"], "summary": {"action": "Patch", "impact": "Unauthorized directory access"}, "threat_synthesis": {"affected_systems": "CubeCart Limited\u2019s CubeCart software, versions earlier than 6.6.0, are affected. Any installation running a pre\u20116.6.0 release inherits the path traversal issue.", "description_and_impact": "A path traversal weakness (CWE\u201122) allows an attacker with administrative privileges to navigate beyond intended directories in CubeCart installations prior to version\u00a06.6.0, potentially viewing or modifying files that should remain hidden. This flaw does not enable arbitrary code execution, but it gives privileged users access to sensitive configuration files or data. The vulnerability is limited to users who already possess admin credentials; attackers must therefore either compromise an account or obtain administrative access through other means.", "risk_and_exploitability": "The flaw carries a CVSS score of 5.1, signifying a moderate severity level. Because the exploit requires administrative access, the likelihood of exploitation is constrained by the ability to compromise admin credentials, and no EPSS data is available or the vulnerability is not listed in KEV. Attackers who gain admin rights can read or overwrite files outside the intended directory tree, potentially exposing confidential data or tampering with configuration. Overall, the risk is moderate but should be mitigated promptly to prevent privileged misuse."}}}}, "created": "2026-04-17T06:30:11.603342+00:00", "title": "Administrative Path Traversal in CubeCart prior to 6.6.0", "updated": "2026-04-17T08:01:13.824366+00:00", "vendors": ["cubecart", "cubecart$PRODUCT$cubecart"]}