無料スキャン

このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2026-44377CVSS 9.1

CVE-2026-44377: RCE in CubeCart v6 Ecommerce Software

プラットフォーム

php

コンポーネント

cubecart-v6

修正版

6.7.0

NVDで見る
保存
あなたの言語に翻訳中…

A critical Remote Code Execution (RCE) vulnerability (CVE-2026-44377) has been identified in CubeCart v6, an ecommerce software solution. This vulnerability stems from an Authenticated Server-Side Template Injection (SSTI) flaw within multiple modules, allowing an attacker with administrative privileges to execute arbitrary code. The vulnerability impacts versions 6.0.0 through 6.6.9, and a patch is available in version 6.7.0.

影響と攻撃シナリオ翻訳中…

The impact of CVE-2026-44377 is severe. An authenticated attacker, possessing administrative access to a CubeCart v6 instance, can leverage the SSTI vulnerability to bypass security restrictions and directly call native PHP functions within templates. This allows for a wide range of malicious actions, including reading sensitive configuration files (e.g., using readgzfile()) and, critically, writing malicious PHP web shells. Successful exploitation grants the attacker complete control over the affected server, enabling data theft, modification, and further lateral movement within the network. The potential for data exfiltration and system takeover is significant, mirroring the impact of other SSTI vulnerabilities like those seen in earlier template engines.

悪用の状況翻訳中…

CVE-2026-44377 was published on May 13, 2026. Its severity is rated CRITICAL (CVSS 9.1). As of this writing, there are no publicly known active campaigns exploiting this vulnerability. However, the ease of exploitation and the potential for significant impact suggest that it will likely become a target for malicious actors. Public Proof-of-Concept (POC) code is anticipated to emerge, increasing the risk of exploitation. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation in the short term, but this could change rapidly.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出
レポート1 脅威レポート

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredHigh攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
高 — 管理者または特権アカウントが必要。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントcubecart-v6
ベンダーcubecart
最小バージョン6.0.0
最大バージョン< 6.7.0
修正版6.7.0

弱点分類 (CWE)

CWE-94CWE-1336

タイムライン

  1. 予約済み
  2. 公開日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-44377 is to immediately upgrade CubeCart to version 6.7.0, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule targeting the SSTI payload is difficult to create due to the dynamic nature of template injection, strict input validation on all user-supplied data within CubeCart templates can help reduce the attack surface. Review and restrict access to sensitive configuration files to limit potential data exposure. Monitor CubeCart logs for suspicious activity, particularly attempts to execute unusual PHP functions within templates. After upgrading to 6.7.0, verify the fix by attempting to inject a simple PHP payload within a template and confirming that it is properly sanitized and does not execute.

修正方法翻訳中…

Actualice CubeCart a la versión 6.7.0 o posterior para mitigar la vulnerabilidad de inyección de plantillas del lado del servidor (SSTI). Esta actualización corrige la forma en que se evalúan las plantillas, evitando la ejecución de código PHP no autorizado a través de la entrada del usuario.

よくある質問翻訳中…

What is CVE-2026-44377 — RCE in CubeCart v6?

CVE-2026-44377 is a critical Remote Code Execution (RCE) vulnerability in CubeCart v6 ecommerce software. It allows authenticated administrators to execute arbitrary PHP code through an SSTI flaw, potentially leading to full system compromise.

Am I affected by CVE-2026-44377 in CubeCart v6?

You are affected if you are running CubeCart v6 versions 6.0.0 through 6.6.9. Upgrade to version 6.7.0 to address this vulnerability.

How do I fix CVE-2026-44377 in CubeCart v6?

The recommended fix is to upgrade CubeCart to version 6.7.0. If immediate upgrade is not possible, implement temporary workarounds like strict input validation and restricting access to sensitive files.

Is CVE-2026-44377 being actively exploited?

As of the current date, there are no publicly known active campaigns exploiting CVE-2026-44377, but the vulnerability's severity and ease of exploitation suggest it may become a target.

Where can I find the official CubeCart advisory for CVE-2026-44377?

Refer to the official CubeCart security advisory for CVE-2026-44377 on the CubeCart website or their security announcement channels. (Link will be available upon official release).

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...