VYPR
Vendor

Cubecart

Products
2
CVEs
59
Across products
60
Status
Private

Products

2

Recent CVEs

59
View all 59 CVEs →
  • CVE-2013-1465CriFeb 8, 2013
    risk 0.67cvss 9.8epss 0.07

    The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

  • CVE-2026-34018CriApr 17, 2026
    risk 0.57cvss 9.8epss 0.00

    An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.

  • CVE-2026-45714CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates…

  • CVE-2026-45053CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.01

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP…

  • CVE-2026-44377CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.01

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly…

  • CVE-2026-45055HigMay 13, 2026
    risk 0.46cvss 8.1epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset…

  • CVE-2017-2098MedApr 28, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

  • CVE-2017-2090MedApr 28, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

  • CVE-2026-45708HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess…

  • CVE-2026-39358HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x.…

  • CVE-2026-21719HigApr 17, 2026
    risk 0.40cvss 7.2epss 0.01

    An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.

  • CVE-2026-44376MedMay 13, 2026
    risk 0.36cvss 6.1epss 0.01

    CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns…

  • CVE-2017-2117MedApr 28, 2017
    risk 0.32cvss 4.9epss 0.02

    Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.

  • CVE-2026-45054MedMay 13, 2026
    risk 0.25cvss 4.9epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the…

  • CVE-2026-39428MedMay 13, 2026
    risk 0.24cvss 4.8epss 0.00

    CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of…

  • CVE-2026-35496LowApr 17, 2026
    risk 0.11cvss 2.7epss 0.00

    A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.

  • CVE-2009-3904Nov 6, 2009
    risk 0.04cvss epss 0.09

    classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2)…

  • CVE-2006-0922Feb 28, 2006
    risk 0.04cvss epss 0.08

    CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php include, which results in an absolute path traversal vulnerability in FileUpload in connector.php (aka upload.php) that allows remote attackers to…

  • CVE-2005-0442May 2, 2005
    risk 0.04cvss epss 0.08

    Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter.

  • CVE-2014-2341Apr 22, 2014
    risk 0.03cvss epss 0.06

    Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.