CVE-2026-45714 CRITICAL

CVE-2026-45714: CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

Vendor Cubecart
Product v6
Weakness CWE-94 · Code injection
Published May 13, 2026
Last update May 14, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 14, 2026 Record updated