Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-45714: RCE in CubeCart v6 Ecommerce Software
Platform
php
Component
cubecart-v6
Opgelost in
6.7.0
CubeCart v6, an ecommerce software solution, suffers from a critical Remote Code Execution (RCE) vulnerability. This flaw, stemming from an Authenticated Server-Side Template Injection (SSTI), allows authenticated administrative users to execute arbitrary operating system commands. The vulnerability impacts versions 6.0.0 through 6.6.9 and is resolved in version 6.7.0.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this RCE vulnerability is severe. An attacker, posing as an authenticated administrative user, can gain complete control over the affected CubeCart server. This includes the ability to install malware, steal sensitive data (customer information, payment details, database contents), modify website content, and potentially pivot to other systems on the network. The exploitation pattern resembles classic SSTI attacks, where template engines are misused to execute arbitrary code. Successful exploitation could lead to a complete compromise of the ecommerce platform and associated data, resulting in significant financial and reputational damage.
Uitbuitingscontextwordt vertaald…
This vulnerability was published on 2026-05-13. Its CRITICAL CVSS score (9.1) indicates a high probability of exploitation. While no public Proof-of-Concept (POC) code has been publicly released as of this writing, the nature of SSTI vulnerabilities makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting CubeCart installations.
Dreigingsinformatie
Exploit Status
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Hoog — beheerder of geprivilegieerd account vereist.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The primary mitigation is to immediately upgrade CubeCart to version 6.7.0, which addresses the SSTI vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict administrative access to the CubeCart platform and enforce strong password policies. Implement a Web Application Firewall (WAF) with rules to detect and block SSTI attempts, specifically targeting Smarty template injection patterns. Monitor CubeCart logs for suspicious activity, such as unusual template rendering or command execution attempts. After upgrading, confirm the fix by attempting to trigger the SSTI vulnerability through administrative interfaces and verifying that the commands are properly sanitized.
Hoe te verhelpenwordt vertaald…
Actualice CubeCart a la versión 6.7.0 o superior para mitigar la vulnerabilidad de inyección de plantillas del lado del servidor (SSTI). Esta actualización corrige la forma en que se evalúan las plantillas Smarty, evitando la ejecución de comandos arbitrarios en el sistema.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-45714 — RCE in CubeCart v6?
CVE-2026-45714 is a critical Remote Code Execution (RCE) vulnerability in CubeCart v6 ecommerce software. It allows authenticated administrators to execute arbitrary commands on the server via Server-Side Template Injection (SSTI).
Am I affected by CVE-2026-45714 in CubeCart v6?
Yes, if you are running CubeCart v6 versions 6.0.0 through 6.6.9, you are affected by this vulnerability. Upgrade to version 6.7.0 to resolve the issue.
How do I fix CVE-2026-45714 in CubeCart v6?
The recommended fix is to upgrade CubeCart to version 6.7.0. As a temporary workaround, restrict admin access and implement WAF rules to block SSTI attempts.
Is CVE-2026-45714 being actively exploited?
While no public exploits are currently known, the high severity and ease of exploitation associated with SSTI suggest a high probability of future exploitation attempts.
Where can I find the official CubeCart advisory for CVE-2026-45714?
Refer to the official CubeCart security advisory for detailed information and updates regarding CVE-2026-45714: [https://www.cubecart.com/security/advisories/]
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Probeer het nu — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...