Skip to main content

CubeCart CVE-2026-44377

| EUVD-2026-30165 CRITICAL
Code Injection (CWE-94)
2026-05-13 GitHub_M
PHP Information Disclosure Code Injection RCE V6
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 08:25 vuln.today
Analysis Generated
Jun 08, 2026 - 08:25 vuln.today
Patch available
May 13, 2026 - 22:03 EUVD
CVE Published
May 13, 2026 - 20:36 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0.

AnalysisAI

Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain admin credentials
Delivery
Authenticate to CubeCart admin panel
Exploit
Edit Email Template or Document module
Install
Inject Smarty payload calling native PHP
C2
readgzfile() leaks config secrets
Execute
error_log() writes PHP webshell to webroot
Impact
Execute OS commands as web user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must already hold a valid administrator account on the CubeCart admin panel (CVSS PR:H) and reach the admin UI over the network (AV:N) - the vulnerable sinks are template-edit fields in Email Templates, Documents, and other Smarty-rendered admin modules in CubeCart v6 below 6.7.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or credential-stuffed a CubeCart administrator logs into the admin panel and edits an Email Template or Document. They inject a Smarty payload invoking readgzfile() against includes/global.inc.php to dump database credentials, then call error_log('<?php system($_GET[c]); ?>', 3, 'images/.cache/sh.php') to drop a webshell into the document root and execute arbitrary OS commands. …
Remediation Vendor-released patch: upgrade to CubeCart 6.7.0, which extends the CubeCart_Smarty_Security disabled-function list to cover error_log, readgzfile, gzopen, simplexml_load_file, glob/scandir, and process-control functions as shown in commit 76d783c8c4d87a8a90dbfef1344a2733e7c6434c. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit administrator access logs and restrict template editing permissions to essential personnel. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-44377 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy