Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
CVE-2026-44377: CubeCart Ecommerce Software: Authenticated Code Execution Risk
CVE-2026-44377
Summary
A security issue exists in older versions of CubeCart's email and document features. An attacker with admin access could potentially read sensitive files or create malicious code, which could lead to unauthorized access to sensitive information or even take control of the website. To fix this, update to CubeCart version 6.7.0 or later.
Original title
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates an...
Original description
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0.
nvd CVSS3.1
9.1
Vulnerability type
CWE-94
Code Injection
CWE-1336
Published: 13 May 2026 · Updated: 30 May 2026 · First seen: 13 May 2026