Skip to main content

CubeCart EUVD-2026-30175

| CVE-2026-45708 HIGH
Code Injection (CWE-94)
2026-05-13 GitHub_M
PHP Code Injection RCE V6
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:04 vuln.today
Patch available
May 13, 2026 - 22:03 EUVD

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print.<md5>.php. files/.htaccess ships an explicit <Files print.*.php> allow from all </Files> carve-out, so the file is fetched and executed by any unauthenticated visitor. This vulnerability is fixed in 6.7.3.

AnalysisAI

Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain admin account with documents-edit rights
Delivery
Inject PHP payload into Invoice Editor template
Exploit
Trigger Print on any order
Install
Webshell written to files/print.<md5>.php
C2
Unauthenticated GET to print.<md5>.php URL
Execute
Execute commands as webserver user
Impact
Pivot to full store and database compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires a CubeCart v6 instance prior to 6.7.3 with the default-shipped files/.htaccess containing the '<Files print.*.php> allow from all' carve-out and the Apache PHP handler enabled for the files/ directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge: CVSS 7.2 is driven by Confidentiality/Integrity/Availability=High with AV:N/AC:L but PR:H, reflecting the need for a high-privilege admin account to inject the payload - yet the resulting payload is executable by AV:N/PR:N unauthenticated visitors, so the post-exploitation reach is broader than the score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained - via phishing, credential reuse, or insider access - an admin account holding 'documents edit' permission opens the Invoice Editor and saves a template containing '<?php system($_GET["c"]); ?>'. When any administrator next clicks Print on an order, the malicious payload is written to files/print.<md5>.php; the attacker (or any unauthenticated visitor with the URL) then fetches /files/print.<md5>.php?c=id and executes arbitrary commands as the webserver user. …
Remediation Vendor-released patch: upgrade to CubeCart 6.7.3 or later, per GHSA-747j-4mmc-cj63 (https://github.com/cubecart/v6/security/advisories/GHSA-747j-4mmc-cj63). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all CubeCart v6 installations and document current versions; review administrator activity logs for suspicious behavior or unauthorized template modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-30175 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy