Home > Vulnerability Database > CVE-2025-59411

Mend.io Vulnerability Database

CVE-2025-59411

Good to know:

Date: September 22, 2025

CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been patched in version 6.5.11.

Severity Score

5.4

Related Resources (5)

Url: https://github.com/cubecart/v6/security/advisories/GHSA-5hg3-m3q3-v2p4

Url: https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-59411

Url: https://github.com/cubecart/v6/commit/48336c54532705873a8c4106208c2d596f128047

Url: https://www.mend.io/vulnerability-database/CVE-2025-59411

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version https://github.com/cubecart/v6.git - v6.5.11

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-59411

Good to know:

Date: September 22, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?