CVE-2026-44377

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/cubecart/v6/commit/76d783c8c4d87a8a90dbfef1344a2733e7c6434c
https://github.com/cubecart/v6/security/advisories/GHSA-wpjx-g695-qc5j
https://github.com/cubecart/v6/security/advisories/GHSA-wpjx-g695-qc5j

Configurations

No configuration.

History

14 May 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/cubecart/v6/security/advisories/GHSA-wpjx-g695-qc5j -~~	() https://github.com/cubecart/v6/security/advisories/GHSA-wpjx-g695-qc5j -

13 May 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 21:16

Updated : 2026-05-14 16:49

NVD link : CVE-2026-44377

Mitre link : CVE-2026-44377

CVE.ORG link : CVE-2026-44377

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

9.1 /10