CVE-2026-45714

CRITICAL · 9.1

hype MOSTLY HYPE · 28 hack

Recent CVE with real patch; no PoC, KEV, or exploitation chatter yet. Mostly advisory republishing.

What: Authenticated Server-Side Template Injection (SSTI) in CubeCart <6.7.0 via Smarty template engine allows admin RCE; CVSS 9.1 CRITICAL.

Why it matters: Published May 13, 2026 with no KEV listing or public PoC yet. Impact is high (RCE) but gated behind admin auth. Vendor patch (6.7.0) exists. Social chatter is fast-follow aggregation of NVD/vendor advisory rather than exploitation signal.

Where it's seen: Vuln feed aggregators (VulmonFeeds, TheHackerWire, OffSeq) reposting CVE metadata and urging upgrades. No defender triage requests, PoC code, or in-the-wild reports visible.

RISK: HIGH — RCE via admin template injection; patch available same-day; admin-gated reduces immediate mass impact.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/14/2026, 11:54:43 AM

Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.

CVSS 3.1 breakdown

Exploitability 2.3 · Impact 6.0

vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack vector: Network
Complexity: Low
Privileges required: High
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

References

Other · 1

https://github.com/cubecart/v6/security/advisories/GHSA-pcfr-xgc9-xfv6