CubeCart versions prior to 6.7.0 contain an authenticated server‑side template injection flaw in several modules such as Email Templates, Invoices, Documents, and Contact Forms. The application evaluates user‑supplied data through the Smarty template engine without enabling its security policies, allowing an authenticated administrator to embed and execute arbitrary operating‑system commands on the hosting server. This results in full compromise of confidentiality, integrity, and availability of the affected system. The weakness is categorized as code injection (CWE‑94) and server‑side template injection (CWE‑1336).

Any installation of CubeCart v6 dated before the 6.7.0 release, where the affected modules are enabled for administrative modification, is vulnerable. Products explicitly listed by the CNA include CubeCart v6 in its entirety; no specific sub‑version restrictions were provided other than the requirement to be older than 6.7.0.

The CVSS score of 9.1 indicates extreme severity. At the time of this analysis the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access and administrative privileges; once these credentials are obtained, an attacker can freely inject template code to execute system commands. Due to the high severity and the straightforward exploitation path once authenticated, the risk to vulnerable installations is very high.