CVE-2026-3318 PUBLISHED

Multiple vulnerabilities in Cradle e-commerce

Assigner: INCIBE
Reserved: 27.02.2026 Published: 08.05.2026 Updated: 08.05.2026

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Cradle
Product	e-commerce
Versions	Default: unaffected Version latest demo version is affected

Solutions

The vulnerabilities have been fixed by the Cradle team in the latest version of Cradle eCommerce.

This issue does not affect Cradle CMS, as it does not include products or collections, nor does it have customer accounts for logging in.

Credits

Gonzalo Aguilar García (6h4ack) finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce

Problem Types

CWE-601 URL redirection to untrusted site ('open redirect') CWE