Description
CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print.<md5>.php. files/.htaccess ships an explicit <Files print.*.php> allow from all </Files> carve-out, so the file is fetched and executed by any unauthenticated visitor. This vulnerability is fixed in 6.7.3.
Published: 2026-05-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator with permission to edit documents can inject raw PHP into the Invoice Editor. When the administrator later prints an order, the injected code is written to a temporary file that is executed by any user who accesses the URL. The flaw permits attackers to run arbitrary code on the server, compromising confidentiality, integrity, and availability. The weakness is a classic code injection reflected in CWE‑94.

Affected Systems

CubeCart version 6 and earlier, up to but not including 6.7.3. All installations that did not upgrade to the patched release are vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires an administrator with edit permissions, after which an unauthenticated user can trigger the execution by requesting the dynamically generated PHP file. The likelihood of exploitation depends on the presence of privileged users, but once the conditions are met the attack is straightforward.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeCart to version 6.7.3 or later to apply the vendor patch
  • If an upgrade is not feasible, remove or restrict the ability for users to edit invoice templates so that no PHP code can be stored
  • Ensure that the web server does not allow execution of files generated in the web root by reviewing or removing any <Files print.*.php> allow from all directives

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print.<md5>.php. files/.htaccess ships an explicit <Files print.*.php> allow from all </Files> carve-out, so the file is fetched and executed by any unauthenticated visitor. This vulnerability is fixed in 6.7.3.
Title CubeCart: Authenticated RCE via Invoice Template → Order Print
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:52:20.652Z

Reserved: 2026-05-13T04:38:01.166Z

Link: CVE-2026-45708

cve-icon Vulnrichment

Updated: 2026-05-14T16:15:46.388Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T21:16:49.877

Modified: 2026-05-14T20:17:09.407

Link: CVE-2026-45708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:16Z

Weaknesses