CVE-2026-45714

CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

Assigner: GitHub_M
Reserved: 13.05.2026 Published: 13.05.2026 Updated: 13.05.2026

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	cubecart
Product	v6
Versions	Version < 6.7.0 is affected

Vendor

cubecart

Product

Versions

Version < 6.7.0 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE
CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine CWE

CVE-2026-45714 PUBLISHED

CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

Metrics

Product Status

References

Problem Types