← voltar
CVE-2026-45714

CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CVSS 9.1 CRITICALEPSS 0.4%CWE-1336CWE-94
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 9.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
13 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Produtos afetados
cubecart · v6

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6