Server-Side Template Injection Vulnerability in CubeCart by CubeCart Ltd.
CVE-2026-45714

9.1CRITICAL

Key Information:

Vendor: Cubecart
Status: V6
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45714?

An Authenticated Server-Side Template Injection vulnerability exists in multiple modules of CubeCart, which is an ecommerce platform. This vulnerability is due to the application unsafely evaluating user-supplied input using the Smarty template engine without enabling the necessary Smarty Security Policies. As a result, any authenticated user with administrative privileges can execute arbitrary operating system commands on the server, potentially leading to remote code execution. This issue was addressed in version 6.7.0.

Affected Version(s)

v6 < 6.7.0

References

https://github.com/cubecart/v6/security/advisories/GHSA-p...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45714 Data

JSON

Cubecart

What is CVE-2026-45714?

Affected Version(s)

References

CVSS V3.1

Timeline