CVE-2026-3318

UNKNOWN 0.0

Multiple vulnerabilities in Cradle e-commerce

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.

CWE	CWE-601
Vendor	cradle
Product	e-commerce
Published	May 8, 2026
Last Updated	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for cradle e-commerce

Be the first to know when new unknown vulnerabilities affecting cradle e-commerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Cradle / e-commerce

latest demo version

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce

Credits

Gonzalo Aguilar García (6h4ack)