Skip to main content

CubeCart EUVD-2026-30170

| CVE-2026-45053 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-13 GitHub_M
PHP File Upload RCE V6
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:22 vuln.today
Patch available
May 13, 2026 - 22:03 EUVD
CVE Published
May 13, 2026 - 20:42 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they are executed by the web server. Combined with a path-traversal flaw in the same endpoint's filepath parameter, a single API request writes a webshell anywhere the webserver process can write - including the document root - yielding full Remote Code Execution. This vulnerability is fixed in 6.7.0.

AnalysisAI

Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain API key with files:rw scope
Delivery
Craft POST to /api/v1/files with PHP payload
Exploit
Inject path traversal in filepath parameter
Execution
Write webshell to document root
Persist
Request webshell URL
Impact
Execute commands as webserver user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess a valid CubeCart REST API key with the files:rw permission scope; the vulnerable POST /api/v1/files endpoint must be reachable from the attacker's network position; the deployment must run a version of CubeCart v6 below 6.7.0 with the REST API enabled; and the webserver process must have write access to a PHP-executable directory (default installations satisfy this for images/source/ and typically the document root). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.1 reflects network attack vector, low complexity, no user interaction, and total CIA impact, but PR:H (high privileges required) means the attacker must already hold an API key with files:rw scope - a meaningful gate that downgrades real-world risk versus pre-auth RCE bugs of similar score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a valid API key with files:rw permission - through a leaked integration credential, a compromised staff account, or a careless third-party integration - sends a single authenticated POST to /api/v1/files with a PHP payload and a filepath value containing '../' sequences pointing at the document root. The server writes the file (e.g., shell.php) into a web-served directory, and the attacker fetches it to gain code execution as the webserver user. …
Remediation Vendor-released patch: upgrade to CubeCart 6.7.0 or later, per advisory GHSA-652f-8c88-25cx (https://github.com/cubecart/v6/security/advisories/GHSA-652f-8c88-25cx). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all CubeCart installations and identify versions prior to 6.7.0; disable or rotate API keys if not immediately patching. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-30170 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy