Description
An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.
Published: 2026-04-17
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw in CubeCart allows an attacker who can log in as an administrator to supply arbitrary input that is passed directly to the operating system. The flaw enables the execution of any command on the server, giving full control over the affected system and potentially compromising confidentiality, integrity, and availability.

Affected Systems

CubeCart Limited’s CubeCart product in all releases prior to version 6.6.0, including 6.5.x and earlier, is impacted. No specific patch version list is given, so any deployment earlier than 6.6.0 is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6, indicating high severity. The likelihood of exploitation is not quantified, and the vulnerability is not classified as a known exploited weakness in public repositories. The likely attack path requires an attacker to obtain administrative credentials or exploit an existing admin session, after which arbitrary OS commands can be executed. The absence of an application-layer restriction and the direct use of user input in system calls make exploitation straightforward for a qualified attacker.

Generated by OpenCVE AI on April 17, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeCart to version 6.6.0 or later, which removes the vulnerable input handling.
  • Ensure that all administrative accounts use strong, unique passwords and, if possible, enable multi‑factor authentication to reduce the risk of credential compromise.
  • Audit any custom modules or third‑party extensions for unvalidated system calls and remove or sanitize them before they can be executed by an administrator.

Generated by OpenCVE AI on April 17, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Fri, 17 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Title Administratively Privileged OS Command Injection in CubeCart Before 6.6.0

Fri, 17 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-17T12:21:48.770Z

Reserved: 2026-04-13T02:53:42.375Z

Link: CVE-2026-21719

cve-icon Vulnrichment

Updated: 2026-04-17T12:21:44.532Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T06:16:29.430

Modified: 2026-04-17T15:08:25.183

Link: CVE-2026-21719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:00:10Z

Weaknesses