Server-Side Template Injection Vulnerability in CubeCart E-commerce Software
CVE-2026-44377

9.1CRITICAL

Key Information:

Vendor: Cubecart
Status: V6
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44377?

CubeCart, an e-commerce software solution, is affected by a vulnerability that allows an authenticated attacker with administrative privileges to exploit server-side template processing. Prior to version 6.7.0, multiple modules within CubeCart, including Email Templates and Documents, improperly evaluate user-supplied input through the Smarty template engine. This flaw enables attackers to bypass security controls and invoke native PHP functions, such as reading sensitive configuration files or executing malicious code. These actions can result in information disclosure and remote code execution, posing significant risks to the application's integrity and the security of its users.

Affected Version(s)

v6 < 6.7.0

References

https://github.com/cubecart/v6/security/advisories/GHSA-w...

x_refsource_CONFIRM

https://github.com/cubecart/v6/commit/76d783c8c4d87a8a90d...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44377 Data

JSON

Cubecart

What is CVE-2026-44377?

Affected Version(s)

References

CVSS V3.1

Timeline