Authentication Flaw in CubeCart E-commerce Software Allows File Upload Vulnerabilities
CVE-2026-45053

9.1CRITICAL

Key Information:

Vendor: Cubecart
Status: V6
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45053?

The CubeCart e-commerce platform is susceptible to an authenticated arbitrary file upload vulnerability through its REST API File Manager endpoint. Prior to version 6.7.0, this flaw allows any user with an API key possessing files:rw permission to upload malicious PHP files to a publicly accessible directory. When these files are executed by the web server, it can lead to full remote code execution. This issue is compounded by a path traversal vulnerability in the same endpoint, enabling attackers to specify arbitrary file paths, thereby potentially affecting critical areas of the system. This vulnerability has been addressed in version 6.7.0.

Affected Version(s)

v6 < 6.7.0

References

https://github.com/cubecart/v6/security/advisories/GHSA-6...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45053 Data

JSON

Cubecart

What is CVE-2026-45053?

Affected Version(s)

References

CVSS V3.1

Timeline