Skip to main content

Cubecart CVE-2026-21719

| EUVD-2026-23366 HIGH
OS Command Injection (CWE-78)
2026-04-17 jpcert
Command Injection Cubecart
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 20, 2026 - 14:59 vuln.today
v4 (cvss_changed)
Analysis Updated
Apr 17, 2026 - 06:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 06:22 vuln.today
cvss_changed
CVSS changed
Apr 17, 2026 - 06:22 NVD
7.2 (HIGH) 8.6 (HIGH)
Analysis Generated
Apr 17, 2026 - 05:36 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 05:30 euvd
EUVD-2026-23366
Analysis Generated
Apr 17, 2026 - 05:30 vuln.today
CVE Published
Apr 17, 2026 - 04:33 nvd
HIGH 8.6

DescriptionCVE.org

An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.

AnalysisAI

Authenticated OS command injection in CubeCart prior to version 6.6.0 allows administrators to execute arbitrary system commands on the hosting server. Reported by JPCERT, this vulnerability requires high-privilege (admin) access but then permits full system compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise admin credentials
Delivery
Authenticate to CubeCart admin panel
Exploit
Navigate to vulnerable admin function
Install
Inject shell metacharacters in input field
C2
Execute arbitrary OS commands
Execute
Establish persistence via web shell
Impact
Exfiltrate sensitive data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Administrative privilege (high-privilege authenticated session) in CubeCart admin panel is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk assessment reveals moderate practical threat despite high CVSS 8.6 rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises a CubeCart administrator account through credential phishing or password reuse from a data breach. Authenticating to the admin panel at /admin.php, they navigate to a vulnerable administrative function that processes user input into system commands (likely in store settings, file management, or plugin configuration areas). …
Remediation Upgrade to CubeCart version 6.6.0 or later immediately, as confirmed by vendor community announcement at https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all CubeCart deployments and identify versions below 6.6.0; verify current admin user list and review recent admin account activity logs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21719 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy