Vendor
Cubecart
Products
2
CVEs
27
Across products
114
Status
Private
Products
2- 107 CVEs
- 7 CVEs
Recent CVEs
27| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2013-1465 | Cri | 0.69 | 9.8 | 0.31 | Feb 8, 2013 | The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. | |
| CVE-2026-34018 | Cri | 0.64 | 9.8 | 0.00 | Apr 17, 2026 | An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. | |
| CVE-2026-45714 | Cri | 0.59 | 9.1 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0. | |
| CVE-2026-44377 | Cri | 0.59 | 9.1 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0. | |
| CVE-2026-45708 | Hig | 0.47 | 7.2 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print.<md5>.php. files/.htaccess ships an explicit <Files print.*.php> allow from all </Files> carve-out, so the file is fetched and executed by any unauthenticated visitor. This vulnerability is fixed in 6.7.3. | |
| CVE-2026-39358 | Hig | 0.47 | 7.2 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and sort_customer) of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This vulnerability is fixed in 6.6.0. | |
| CVE-2026-21719 | Hig | 0.47 | 7.2 | 0.00 | Apr 17, 2026 | An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. | |
| CVE-2017-2090 | Med | 0.43 | 6.5 | 0.03 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |
| CVE-2017-2098 | Med | 0.42 | 6.5 | 0.02 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |
| CVE-2026-44376 | Med | 0.40 | 6.1 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0. | |
| CVE-2026-45054 | Med | 0.32 | 4.9 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters — none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0. | |
| CVE-2017-2117 | Med | 0.32 | 4.9 | 0.02 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors. | |
| CVE-2026-39428 | Med | 0.31 | 4.8 | 0.00 | May 13, 2026 | CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These payloads are stored in the database and executed whenever a user (customer or another administrator) views the affected product pages, which could lead to session hijacking or unauthorized actions. This vulnerability is fixed in 6.6.0. | |
| CVE-2026-35496 | Low | 0.18 | 2.7 | 0.00 | Apr 17, 2026 | A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible. | |
| CVE-2012-0865 | 0.04 | — | 0.11 | Feb 21, 2012 | Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. | ||
| CVE-2014-2341 | 0.03 | — | 0.05 | Apr 22, 2014 | Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | ||
| CVE-2010-1931 | 0.03 | — | 0.02 | Jun 10, 2010 | SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php. | ||
| CVE-2009-4060 | 0.03 | — | 0.00 | Nov 24, 2009 | SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter. | ||
| CVE-2009-3904 | 0.03 | — | 0.05 | Nov 6, 2009 | classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header. | ||
| CVE-2023-47675 | 0.00 | — | 0.01 | Nov 17, 2023 | CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. |