SQL Injection Vulnerability in CubeCart E-commerce Software
CVE-2026-45054

4.9MEDIUM

Key Information:

Vendor: Cubecart
Status: V6
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45054?

CubeCart, an e-commerce software solution, has a vulnerability in its admin orders-transactions listing page that can allow an attacker to exploit SQL injection. The issue arises from the application's unsafe construction of an ORDER BY clause using unvalidated parameters from the attacker-controlled $_GET['sort'] array. An authenticated administrator with basic permissions can manipulate these parameters, leading to the execution of arbitrary SQL commands on the store's database. This can potentially expose sensitive information such as administrator password hashes, customer personal identifiable information (PII), and payment gateway credentials. This vulnerability has been addressed in version 6.7.0.

Affected Version(s)

v6 < 6.7.0

References

https://github.com/cubecart/v6/security/advisories/GHSA-r...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45054 Data

JSON

Cubecart

What is CVE-2026-45054?

Affected Version(s)

References

CVSS V3.1

Timeline