Remote Code Execution Vulnerability in CubeCart eCommerce Software
CVE-2026-45708

7.2HIGH

Key Information:

Vendor: Cubecart
Status: V6
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45708?

CubeCart, an eCommerce software solution, has a vulnerability that allows an admin with document edit permissions to save raw PHP code in the Invoice Editor. If an admin subsequently prints any order, the generated template is stored in a file that can be accessed and executed by any unauthenticated user, posing a significant security risk. This issue has been addressed in version 6.7.3, emphasizing the importance of keeping software up to date to mitigate such vulnerabilities.

Affected Version(s)

v6 < 6.7.3

References

https://github.com/cubecart/v6/security/advisories/GHSA-7...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45708 Data

JSON

Cubecart

What is CVE-2026-45708?

Affected Version(s)

References

CVSS V3.1

Timeline