CVE-2026-3318
Deferred Deferred - Pending Action
Open Redirection in Cradle eCommerce Demo

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-3318
EUVD
EUVD-2026-28545
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cradle ecommerce *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3318 is an open redirection vulnerability found in the demo version of the Cradle eCommerce platform. It occurs in the login form endpoint where the 'returnUrl' parameter is used to redirect users. Because the application does not properly validate this parameter, an attacker can manipulate it to redirect users from the legitimate website to an external, potentially malicious URL without their knowledge.

Impact Analysis

This vulnerability can be exploited by attackers to deceive users into navigating from a trusted site to a malicious one. This can lead to phishing attacks, malware distribution, or other malicious activities by exploiting the trust users have in the legitimate website.

Detection Guidance

This vulnerability can be detected by testing the login form endpoint of the Cradle eCommerce platform for open redirection via the 'returnUrl' parameter.

You can manually test by crafting URLs that include the 'returnUrl' parameter pointing to an external site and observing if the application redirects without validation.

For example, you can use curl commands to test the behavior:

  • curl -I "http://targetsite/login?returnUrl=http://malicious-site.com"
  • curl -v "http://targetsite/login?returnUrl=http://malicious-site.com"

If the response includes a redirect (HTTP 3xx) to the external URL specified in 'returnUrl', the vulnerability is present.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Cradle eCommerce platform to the latest version where the vulnerability has been fixed.

Additionally, as a temporary measure, you can implement input validation or filtering on the 'returnUrl' parameter to ensure it only allows internal URLs or safe redirects.

Monitoring and blocking suspicious redirect attempts at the web application firewall (WAF) level can also help reduce risk.

Compliance Impact

The provided information does not specify any direct impact of this open redirection vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3318. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart