CubeCart: Admins Can Run Any System Command

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

CubeCart: Admins Can Run Any System Command

CVE-2026-21719

Summary

A security issue in CubeCart's administrative interface allows an attacker with admin privileges to execute any system command, potentially leading to data loss or system compromise. This affects all versions of CubeCart prior to 6.6.0. Update to version 6.6.0 or later to fix this issue.

Original title

An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.

Original description

An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.

nvd CVSS3.0 7.2

nvd CVSS4.0 8.6

Vulnerability type

CWE-78 OS Command Injection

https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-y...
https://jvn.jp/en/jp/JVN78422311/

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026