CVE-2025-66572 | THREATINT

Description

Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-04 | Updated 2025-12-04 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

6.6

affected

Credits

tmrswrr finder

References

www.exploit-db.com/exploits/52084 (ExploitDB-52084) exploit

loadedcommerce.com/ (Loaded Commerce Homepage) product

www.vulncheck.com/...e-66-client-side-template-injectioncsti third-party-advisory

cve.org (CVE-2025-66572)

nvd.nist.gov (CVE-2025-66572)