Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
EC-CUBE Number Of NVD 50 CRITICAL 0 HIGH 10 MEDIUM 39 LOW 1
URL https://www.ec-cube.net/
Explanation This is a CMS for building e-commerce sites made in Japan.
It is currently supported in three versions: Series 2, Series 3, and Series 4.
Support for Series 2 was scheduled to end with the release of Series 3, but due to the large number of users, support has been extended.

With the Cloud version, you can use EC-CUBE right away without having to prepare a server.
Tag
  • オープンソース
  • GPL v2
Add Information URL
No Type Name URL
1 https://www.ec-cube.net/press/detail.php?press_id=212
2 https://www.ec-cube.net/download/
3 https://www.ec-cube.net/news/detail.php?news_id=84
4 https://github.com/EC-CUBE/ec-cube3
5 https://github.com/EC-CUBE/ec-cube2
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
41 EC-CUBE 4 4.3.1-p1 March 4, 2026 Oct. 11, 2018 0 3 8 1
42 EC-CUBE 3 3.0.18 July 5, 2019 July 1, 2015 0 5 7 1
43 EC-CUBE 2 2.13.5-p2 Aug. 17, 2023 Dec. 4, 2007 0 4 27 0
44 EC-CUBE 1 1.4.0 Oct. 1, 2008 Feb. 14, 2007 Nov. 6, 2008 0 2 9 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
41 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in the shopping-cart screen in LOCKON EC-CUBE 2.11.0 through 2.12.3enP2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. CWE-79
Cross-site Scripting 		CVE-2013-2312 cpe:2.3:a:lockon:ec-cube:2.12.3enp2:*
cpe:2.3:a:lockon:ec-cube:2.12.3enp1:*
cpe:2.3:a:lockon:ec-cube:2.12.3en:* 		2024-11-21 10:51
2013-05-30 		Show GitHub Exploit DB Packet Storm
42 -
7.5 		HIGH SQL injection vulnerability in data/class/SC_Query.php in EC-CUBE 2.11.0 through 2.11.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CWE-89
SQL Injection 		CVE-2011-3988 cpe:2.3:a:lockon:ec-cube:2.11.2:*
cpe:2.3:a:lockon:ec-cube:2.11.1:*
cpe:2.3:a:lockon:ec-cube:2.11.0:* 		2024-11-21 10:31
2011-10-22 		Show GitHub Exploit DB Packet Storm
43 -
5.8 		MEDIUM Cross-site request forgery (CSRF) vulnerability in EC-CUBE before 2.11.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. CWE-352
 Origin Validation Error 		CVE-2011-1325 cpe:2.3:a:lockon:ec-cube:2.5.0:alpha
cpe:2.3:a:lockon:ec-cube:2.5.0:alpha2
cpe:2.3:a:lockon:ec-cube:2.4.4:*
cp… 		2.11.0 2024-11-21 10:26
2011-05-14 		Show GitHub Exploit DB Packet Storm
44 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in (1) data/Smarty/templates/default/list.tpl and (2) data/Smarty/templates/default/campaign/bloc/cart_tag.tpl in EC-CUBE before 2.4.4 allow remote… CWE-79
Cross-site Scripting 		CVE-2011-0451 cpe:2.3:a:lockon:ec-cube:2.4.4:*
cpe:2.3:a:lockon:ec-cube:2.4.2:*
cpe:2.3:a:lockon:ec-cube:2.4.1:*
cpe:2.3:a:l… 		2.4.3 2024-11-21 10:24
2011-02-4 		Show GitHub Exploit DB Packet Storm
45 -
7.5 		HIGH SQL injection vulnerability in LOCKON CO.,LTD. EC-CUBE 2.3.0 and earlier, 1.4.7 and earlier, and 1.5.0-beta2 and earlier; and Community Edition 1.3.5 and earlier allows remote attackers to execute ar… CWE-89
SQL Injection 		CVE-2008-4991 cpe:2.3:a:ec-cube:ec-cube:1.3.4:unknown
cpe:2.3:a:ec-cube:ec-cube:*:unknown
cpe:2.3:a:ec-cube:ec-cube:*:b2
cpe…


1.3.5
1.5.0
1.4.7
2.3.0





2026-04-23 09:35
2008-11-7 		Show GitHub Exploit DB Packet Storm
46 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in EC-CUBE Ver1 1.4.6 and earlier, Ver1 Beta 1.5.0-beta and earlier, Ver2 2.1.2a and earlier, Ver2 Beta(RC) 2.1.1-beta and earlier, Community Edition 1.3.4 an… CWE-79
Cross-site Scripting 		CVE-2008-4537 cpe:2.3:a:ec-cube:ec-cube:1.5.0:b2
cpe:2.3:a:ec-cube:ec-cube:1.4.7:*
cpe:2.3:a:ec-cube:ec-cube:1.0:*
cpe:2.3:a…

1.3.4
2.1.2a
2.3.0



2026-04-23 09:35
2008-10-11 		Show GitHub Exploit DB Packet Storm
47 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in EC-CUBE Ver1 1.4.6 and earlier, Ver1 Beta 1.5.0-beta and earlier, Ver2 2.1.2a and earlier, Ver2 Beta(RC) 2.2.0-beta and earlier, Community Edition 1.3.4 an… CWE-79
Cross-site Scripting 		CVE-2008-4536 cpe:2.3:a:ec-cube:ec-cube:1.5.0:b2
cpe:2.3:a:ec-cube:ec-cube:1.4.7:*
cpe:2.3:a:ec-cube:ec-cube:1.0:*
cpe:2.3:a…

1.3.4
2.1.2a
2.3.0



2026-04-23 09:35
2008-10-11 		Show GitHub Exploit DB Packet Storm
48 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in EC-CUBE Ver2 2.1.2a and earlier, EC-CUBE Ver2 Beta(RC) 2.2.0-beta and earlier, and EC-CUBE Community Edition Nighly-Build r17623 and earlier allows remote … CWE-79
Cross-site Scripting 		CVE-2008-4535 cpe:2.3:a:ec-cube:ec-cube:1.5.0:b2
cpe:2.3:a:ec-cube:ec-cube:1.4.7:*
cpe:2.3:a:ec-cube:ec-cube:1.0:*
cpe:2.3:a…
2.1.2a
2.3.0

2026-04-23 09:35
2008-10-11 		Show GitHub Exploit DB Packet Storm
49 -
7.5 		HIGH SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ver2 RC 2.3.0-rc1 and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CWE-89
SQL Injection 		CVE-2008-4534 cpe:2.3:a:ec-cube:ec-cube:1.5.0:b2
cpe:2.3:a:ec-cube:ec-cube:1.4.7:*
cpe:2.3:a:ec-cube:ec-cube:1.0:*
cpe:2.3:a…
2.1.2a
2.3.0

2026-04-23 09:35
2008-10-11 		Show GitHub Exploit DB Packet Storm
50 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in EC-CUBE before 1.0.1a-beta allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. CWE-79
Cross-site Scripting 		CVE-2006-6108 cpe:2.3:a:ec-cube:ec-cube:1.0:* 2026-04-23 09:35
2006-11-27 		Show GitHub Exploit DB Packet Storm