Description
CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters — none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0.
Published: 2026-05-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CubeCart’s order‑transaction listing endpoint builds an ORDER BY clause directly from the $_GET['sort'] array. The column key and sort direction are inserted without validation or parameterization, allowing a malicious administrator with the basic CC_PERM_READ permission to inject arbitrary SQL through the sort[] parameter. This injection can extract any data from the database, including administrator password hashes, customer personally identifiable information, and payment gateway credentials. The vulnerability is a classic SQL injection (CWE‑89).

Affected Systems

CubeCart version 6, specifically all releases before 6.7.0, are affected. The issue was fixed in the 6.7.0 update, which properly sanitizes the ORDER BY input.

Risk and Exploitability

The CVSS score is 4.9, indicating low severity. No EPSS score is published, so current exploit probability is unknown. Conservation of the vulnerability in the CISA KEV list is not indicated. The attack vector requires prior authenticated access to the CubeCart admin area and the CC_PERM_READ permission on orders, which is typically limited to trusted administrators. However, the privilege level required is sufficient to compromise data integrity and confidentiality. Until the official update is applied, the risk of credential theft or other sensitive data leakage remains.

Generated by OpenCVE AI on May 13, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeCart to version 6.7.0 or later, which removes the unsanitized ORDER BY construction.
  • Restrict the CC_PERM_READ permission to only trusted users or consider removing it entirely if the orders‑transactions listing is not required for those accounts.
  • Implement strict server‑side validation or whitelisting for the "sort" query parameter to prevent injection of legacy unsanitized input.

Generated by OpenCVE AI on May 13, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters — none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0.
Title CubeCart: Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions Listing
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:51:18.199Z

Reserved: 2026-05-08T18:07:27.342Z

Link: CVE-2026-45054

cve-icon Vulnrichment

Updated: 2026-05-14T12:51:10.215Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T21:16:49.270

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-45054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:20Z

Weaknesses