CVE-2026-45714: RCE in CubeCart v6 Ecommerce Software
Platform
php
Component
cubecart-v6
Fixed in
6.7.0
CubeCart v6, an ecommerce software solution, suffers from a critical Remote Code Execution (RCE) vulnerability. This flaw, stemming from an Authenticated Server-Side Template Injection (SSTI), allows authenticated administrative users to execute arbitrary operating system commands. The vulnerability impacts versions 6.0.0 through 6.6.9 and is resolved in version 6.7.0.
Impact and Attack Scenarios
The impact of this RCE vulnerability is severe. An attacker, posing as an authenticated administrative user, can gain complete control over the affected CubeCart server. This includes the ability to install malware, steal sensitive data (customer information, payment details, database contents), modify website content, and potentially pivot to other systems on the network. The exploitation pattern resembles classic SSTI attacks, where template engines are misused to execute arbitrary code. Successful exploitation could lead to a complete compromise of the ecommerce platform and associated data, resulting in significant financial and reputational damage.
Exploitation Context
This vulnerability was published on 2026-05-13. Its CRITICAL CVSS score (9.1) indicates a high probability of exploitation. While no public Proof-of-Concept (POC) code has been publicly released as of this writing, the nature of SSTI vulnerabilities makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting CubeCart installations.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation is to immediately upgrade CubeCart to version 6.7.0, which addresses the SSTI vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict administrative access to the CubeCart platform and enforce strong password policies. Implement a Web Application Firewall (WAF) with rules to detect and block SSTI attempts, specifically targeting Smarty template injection patterns. Monitor CubeCart logs for suspicious activity, such as unusual template rendering or command execution attempts. After upgrading, confirm the fix by attempting to trigger the SSTI vulnerability through administrative interfaces and verifying that the commands are properly sanitized.
How to fix
Actualice CubeCart a la versión 6.7.0 o superior para mitigar la vulnerabilidad de inyección de plantillas del lado del servidor (SSTI). Esta actualización corrige la forma en que se evalúan las plantillas Smarty, evitando la ejecución de comandos arbitrarios en el sistema.
Frequently asked questions
What is CVE-2026-45714 — RCE in CubeCart v6?
CVE-2026-45714 is a critical Remote Code Execution (RCE) vulnerability in CubeCart v6 ecommerce software. It allows authenticated administrators to execute arbitrary commands on the server via Server-Side Template Injection (SSTI).
Am I affected by CVE-2026-45714 in CubeCart v6?
Yes, if you are running CubeCart v6 versions 6.0.0 through 6.6.9, you are affected by this vulnerability. Upgrade to version 6.7.0 to resolve the issue.
How do I fix CVE-2026-45714 in CubeCart v6?
The recommended fix is to upgrade CubeCart to version 6.7.0. As a temporary workaround, restrict admin access and implement WAF rules to block SSTI attempts.
Is CVE-2026-45714 being actively exploited?
While no public exploits are currently known, the high severity and ease of exploitation associated with SSTI suggest a high probability of future exploitation attempts.
Where can I find the official CubeCart advisory for CVE-2026-45714?
Refer to the official CubeCart security advisory for detailed information and updates regarding CVE-2026-45714: [https://www.cubecart.com/security/advisories/]
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...