免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2026-45714CVSS 9.1

CVE-2026-45714: RCE in CubeCart v6 Ecommerce Software

平台

php

组件

cubecart-v6

修复版本

6.7.0

在NVD查看
保存
正在翻译为您的语言…

CubeCart v6, an ecommerce software solution, suffers from a critical Remote Code Execution (RCE) vulnerability. This flaw, stemming from an Authenticated Server-Side Template Injection (SSTI), allows authenticated administrative users to execute arbitrary operating system commands. The vulnerability impacts versions 6.0.0 through 6.6.9 and is resolved in version 6.7.0.

影响与攻击场景翻译中…

The impact of this RCE vulnerability is severe. An attacker, posing as an authenticated administrative user, can gain complete control over the affected CubeCart server. This includes the ability to install malware, steal sensitive data (customer information, payment details, database contents), modify website content, and potentially pivot to other systems on the network. The exploitation pattern resembles classic SSTI attacks, where template engines are misused to execute arbitrary code. Successful exploitation could lead to a complete compromise of the ecommerce platform and associated data, resulting in significant financial and reputational damage.

利用背景翻译中…

This vulnerability was published on 2026-05-13. Its CRITICAL CVSS score (9.1) indicates a high probability of exploitation. While no public Proof-of-Concept (POC) code has been publicly released as of this writing, the nature of SSTI vulnerabilities makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting CubeCart installations.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
报告3 份威胁报告

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredHigh攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
高 — 需要管理员或特权账户。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件cubecart-v6
供应商cubecart
最低版本6.0.0
最高版本< 6.7.0
修复版本6.7.0

弱点分类 (CWE)

CWE-94CWE-1336

时间线

  1. 已保留
  2. 发布日期

缓解措施和替代方案翻译中…

The primary mitigation is to immediately upgrade CubeCart to version 6.7.0, which addresses the SSTI vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict administrative access to the CubeCart platform and enforce strong password policies. Implement a Web Application Firewall (WAF) with rules to detect and block SSTI attempts, specifically targeting Smarty template injection patterns. Monitor CubeCart logs for suspicious activity, such as unusual template rendering or command execution attempts. After upgrading, confirm the fix by attempting to trigger the SSTI vulnerability through administrative interfaces and verifying that the commands are properly sanitized.

修复方法翻译中…

Actualice CubeCart a la versión 6.7.0 o superior para mitigar la vulnerabilidad de inyección de plantillas del lado del servidor (SSTI). Esta actualización corrige la forma en que se evalúan las plantillas Smarty, evitando la ejecución de comandos arbitrarios en el sistema.

常见问题翻译中…

What is CVE-2026-45714 — RCE in CubeCart v6?

CVE-2026-45714 is a critical Remote Code Execution (RCE) vulnerability in CubeCart v6 ecommerce software. It allows authenticated administrators to execute arbitrary commands on the server via Server-Side Template Injection (SSTI).

Am I affected by CVE-2026-45714 in CubeCart v6?

Yes, if you are running CubeCart v6 versions 6.0.0 through 6.6.9, you are affected by this vulnerability. Upgrade to version 6.7.0 to resolve the issue.

How do I fix CVE-2026-45714 in CubeCart v6?

The recommended fix is to upgrade CubeCart to version 6.7.0. As a temporary workaround, restrict admin access and implement WAF rules to block SSTI attempts.

Is CVE-2026-45714 being actively exploited?

While no public exploits are currently known, the high severity and ease of exploitation associated with SSTI suggest a high probability of future exploitation attempts.

Where can I find the official CubeCart advisory for CVE-2026-45714?

Refer to the official CubeCart security advisory for detailed information and updates regarding CVE-2026-45714: [https://www.cubecart.com/security/advisories/]

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...