CVE-2026-44377: CWE-94: Improper Control of Generation of Code ('Code Injection') in cubecart v6
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0.
AI Analysis
Technical Summary
CVE-2026-44377 is a critical authenticated Server-Side Template Injection vulnerability affecting CubeCart ecommerce software versions before 6.7.0. The issue arises because the application unsafely evaluates user-supplied input through the Smarty template engine in multiple modules. An attacker with administrative privileges can bypass restrictions to invoke native PHP functions such as readgzfile() and error_log(), enabling them to read sensitive configuration files or write a malicious PHP web shell. This leads to information disclosure and full remote code execution. The vulnerability is addressed in CubeCart 6.7.0.
Potential Impact
Successful exploitation allows an authenticated attacker with administrative privileges to achieve full remote code execution on the affected system and disclose sensitive information. This can lead to complete compromise of the ecommerce platform and underlying server.
Mitigation Recommendations
This vulnerability is fixed in CubeCart version 6.7.0. Users should upgrade to version 6.7.0 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory, but the description states the vulnerability is fixed in 6.7.0. No other mitigation or temporary fix is indicated.
CVE-2026-44377: CWE-94: Improper Control of Generation of Code ('Code Injection') in cubecart v6
Description
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44377 is a critical authenticated Server-Side Template Injection vulnerability affecting CubeCart ecommerce software versions before 6.7.0. The issue arises because the application unsafely evaluates user-supplied input through the Smarty template engine in multiple modules. An attacker with administrative privileges can bypass restrictions to invoke native PHP functions such as readgzfile() and error_log(), enabling them to read sensitive configuration files or write a malicious PHP web shell. This leads to information disclosure and full remote code execution. The vulnerability is addressed in CubeCart 6.7.0.
Potential Impact
Successful exploitation allows an authenticated attacker with administrative privileges to achieve full remote code execution on the affected system and disclose sensitive information. This can lead to complete compromise of the ecommerce platform and underlying server.
Mitigation Recommendations
This vulnerability is fixed in CubeCart version 6.7.0. Users should upgrade to version 6.7.0 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory, but the description states the vulnerability is fixed in 6.7.0. No other mitigation or temporary fix is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T20:15:20.631Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04e7d1cbff5d86100a850b
Added to database: 5/13/2026, 9:06:25 PM
Last enriched: 5/13/2026, 9:21:55 PM
Last updated: 5/14/2026, 6:47:33 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.