CVE-2026-3318
CWE-601Published: May 8, 2026· Updated: May 8, 2026
Official Description
Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.
Technical Analysis
CVE-2026-3318 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (P) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-601)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-3318 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts