What is the CVSS score of CVE-2026-45714?

CVE-2026-45714 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of CubeCart are affected by CVE-2026-45714?

CubeCart v6 prior to version 6.7.0 contains a critical remote code execution vulnerability in its administrative interface that allows administrators to execute arbitrary code through template…. A patch is available.

How to fix or mitigate CVE-2026-45714?

Within 24 hours: Identify all CubeCart v6 installations and determine versions; restrict administrative access to affected systems to essential personnel only and increase monitoring of admin activities. Within 7 days: Deploy CubeCart v6.7.0 patch to all affected instances and validate successful upgrade functionality. Within 30 days: Complete post-patch security audit, review admin activity logs for any suspicious template modifications prior to patching, and document remediation closure.

CubeCart CVE-2026-45714

EUVD-2026-30176 CRITICAL

Code Injection (CWE-94)

2026-05-13 GitHub_M

Code Injection RCE V6

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 08:24 vuln.today

Patch available

May 13, 2026 - 22:03 EUVD

CVE Published

May 13, 2026 - 20:43 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.

AnalysisAI

Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain admin credentials

Delivery

Authenticate to CubeCart admin panel

Exploit

Inject Smarty payload into template module

Execution

Trigger template rendering

Persist

Execute OS commands as web user

Impact

Establish persistence or exfiltrate data

Access

Obtain admin credentials

Delivery

Authenticate to CubeCart admin panel

Exploit

Inject Smarty payload into template module

Execution

Trigger template rendering

Persist

Execute OS commands as web user

Impact

Establish persistence or exfiltrate data

Vulnerability AssessmentAI

Exploitation	Exploitation requires an authenticated session with CubeCart administrative privileges (CVSS PR:H), network reach to the CubeCart admin panel, and the ability to save and render content in one of the Smarty-backed modules (Email Templates, Invoices, Documents, or Contact Forms) on a CubeCart v6 instance older than 6.7.0 where Smarty Security Policies are not enabled - the default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.1 score is driven by network attack vector, low complexity, no user interaction, changed scope, and total CIA impact, but PR:H tempers real-world risk because exploitation requires existing administrative credentials on the CubeCart instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained CubeCart administrator credentials - via phishing, credential reuse, or a separate compromise - logs into the admin panel and edits an Email Template, Invoice template, Document, or Contact Form, embedding Smarty syntax that invokes PHP system functions. When the template is rendered (for example by triggering an order confirmation email or previewing the document), the server executes the attacker's OS commands under the web server account, enabling webshell deployment, database exfiltration, or pivoting. …
Remediation	Apply the vendor-released patch by upgrading CubeCart v6 to version 6.7.0 or later, which is the fix identified in advisory GHSA-pcfr-xgc9-xfv6 (https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all CubeCart v6 installations and determine versions; restrict administrative access to affected systems to essential personnel only and increase monitoring of admin activities. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-45714 vulnerability details – vuln.today

Back

CubeCart CVE-2026-45714

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code