CVE-2026-45054: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in cubecart v6
CubeCart v6 prior to version 6. 7. 0 contains an SQL injection vulnerability in the admin orders-transactions listing page. The vulnerability arises because the 'sort' parameter from the GET request is used directly in an ORDER BY SQL clause without proper validation or sanitization. An authenticated administrator with read permissions on orders can exploit this flaw to execute arbitrary SQL queries, potentially extracting sensitive data such as admin password hashes, customer personal information, and payment gateway credentials. This vulnerability has a medium severity rating and is fixed in CubeCart version 6. 7. 0.
AI Analysis
Technical Summary
CubeCart ecommerce software versions before 6.7.0 have an SQL injection vulnerability (CWE-89) in the admin orders-transactions listing page (admin.php?_g=orders&node=transactions). The issue occurs because the 'sort' parameter from the HTTP GET request is incorporated directly into the ORDER BY clause of an SQL query without validating the column or direction values. The framework's sqlSafe() function only escapes quote characters, which does not prevent injection in ORDER BY clauses. An authenticated admin user with minimal read permissions on orders can exploit this to execute arbitrary SQL commands against the store database, including extracting sensitive data such as admin password hashes, customer personally identifiable information, and payment gateway credentials. The vulnerability is addressed in CubeCart version 6.7.0.
Potential Impact
An attacker with authenticated administrator access and minimal read permissions on orders can perform SQL injection attacks on the CubeCart database. This can lead to unauthorized disclosure of sensitive information including administrator password hashes, customer personal data, and payment gateway credentials. The vulnerability does not affect availability or integrity directly but compromises confidentiality. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability is fixed in CubeCart version 6.7.0. Users should upgrade to version 6.7.0 or later to remediate this issue. Since no official patch or temporary workaround is provided in the advisory, upgrading is the recommended and effective mitigation.
CVE-2026-45054: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in cubecart v6
Description
CubeCart v6 prior to version 6. 7. 0 contains an SQL injection vulnerability in the admin orders-transactions listing page. The vulnerability arises because the 'sort' parameter from the GET request is used directly in an ORDER BY SQL clause without proper validation or sanitization. An authenticated administrator with read permissions on orders can exploit this flaw to execute arbitrary SQL queries, potentially extracting sensitive data such as admin password hashes, customer personal information, and payment gateway credentials. This vulnerability has a medium severity rating and is fixed in CubeCart version 6. 7. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CubeCart ecommerce software versions before 6.7.0 have an SQL injection vulnerability (CWE-89) in the admin orders-transactions listing page (admin.php?_g=orders&node=transactions). The issue occurs because the 'sort' parameter from the HTTP GET request is incorporated directly into the ORDER BY clause of an SQL query without validating the column or direction values. The framework's sqlSafe() function only escapes quote characters, which does not prevent injection in ORDER BY clauses. An authenticated admin user with minimal read permissions on orders can exploit this to execute arbitrary SQL commands against the store database, including extracting sensitive data such as admin password hashes, customer personally identifiable information, and payment gateway credentials. The vulnerability is addressed in CubeCart version 6.7.0.
Potential Impact
An attacker with authenticated administrator access and minimal read permissions on orders can perform SQL injection attacks on the CubeCart database. This can lead to unauthorized disclosure of sensitive information including administrator password hashes, customer personal data, and payment gateway credentials. The vulnerability does not affect availability or integrity directly but compromises confidentiality. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability is fixed in CubeCart version 6.7.0. Users should upgrade to version 6.7.0 or later to remediate this issue. Since no official patch or temporary workaround is provided in the advisory, upgrading is the recommended and effective mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T18:07:27.342Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04e7d1cbff5d86100a8516
Added to database: 5/13/2026, 9:06:25 PM
Last enriched: 5/13/2026, 9:22:18 PM
Last updated: 5/13/2026, 10:08:44 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.