Cubecart V6 vulnerabilities
13 known vulnerabilities affecting cubecart/v6.
Total CVEs
13
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH4MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2026-45053P2CRITICALCVSS 9.1fixed in 6.7.02026-05-13
CVE-2026-45053 [CRITICAL] CWE-434 CVE-2026-45053: CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload v
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they
nvd
CVE-2026-44376P3MEDIUMCVSS 6.1PoCfixed in 6.7.02026-05-13
CVE-2026-44376 [MEDIUM] CWE-79 CVE-2026-44376: CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnera
CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker
nvd
CVE-2026-45714P3CRITICALCVSS 9.1fixed in 6.7.02026-05-13
CVE-2026-45714 [CRITICAL] CWE-94 CVE-2026-45714: CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template In
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty S
nvd
CVE-2026-44377P3CRITICALCVSS 9.1fixed in 6.7.02026-05-13
CVE-2026-44377 [CRITICAL] CWE-94 CVE-2026-44377: CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template In
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated at
nvd
CVE-2026-39358P3HIGHCVSS 7.2fixed in 6.6.02026-05-13
CVE-2026-39358 [HIGH] CWE-89 CVE-2026-39358: CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injec
CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the co
nvd
CVE-2026-45055P3HIGHCVSS 8.1fixed in 6.7.22026-05-13
CVE-2026-45055 [HIGH] CWE-20 CVE-2026-45055: CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_U
CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordReq
nvd
CVE-2026-45708P3HIGHCVSS 7.2fixed in 6.7.32026-05-13
CVE-2026-45708 [HIGH] CWE-94 CVE-2026-45708: CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission
CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess ships an explicit allow from all carve-out, so the file is fetched and executed by any unauthent
nvd
CVE-2025-59335P3HIGHCVSS 7.1fixed in 6.5.112025-09-22
CVE-2025-59335 [HIGH] CWE-613 CVE-2025-59335: CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automati
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been c
nvd
CVE-2025-59413P3MEDIUMCVSS 6.5fixed in 6.5.112025-09-22
CVE-2025-59413 [MEDIUM] CWE-862 CVE-2025-59413: CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the news
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email ad
nvd
CVE-2026-45054P4MEDIUMCVSS 4.9fixed in 6.7.02026-05-13
CVE-2026-45054 [MEDIUM] CWE-89 CVE-2026-45054: CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing pa
CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL to
nvd
CVE-2025-59412P4MEDIUMCVSS 5.4fixed in 6.5.112025-09-22
CVE-2025-59412 [MEDIUM] CWE-79 CVE-2025-59412: CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the p
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the pr
nvd
CVE-2025-59411P4MEDIUMCVSS 5.4fixed in 6.5.112025-09-22
CVE-2025-59411 [MEDIUM] CWE-79 CVE-2025-59411: CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry fiel
CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being ou
nvd
CVE-2026-39428P4MEDIUMCVSS 4.8fixed in 6.6.02026-05-13
CVE-2026-39428 [MEDIUM] CWE-79 CVE-2026-39428: CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vuln
CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed wheneve
nvd