CVE-2026-44377: Critical RCE in CubeCart eCommerce Platform

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-94cwe-1336
CVE-2026-44377: Critical RCE in CubeCart eCommerce Platform

The National Vulnerability Database (NVD) has detailed CVE-2026-44377, a critical Authenticated Server-Side Template Injection (SSTI) vulnerability in CubeCart, an e-commerce software solution. This flaw, present in versions prior to 6.7.0, allows an authenticated attacker with administrative privileges to bypass security restrictions within multiple modules, including Email Templates and Documents. The application’s unsafe evaluation of user-supplied input via the Smarty template engine is the root cause.

By exploiting this vulnerability, an attacker can execute arbitrary PHP functions. The NVD highlights two critical examples: using readgzfile() to exfiltrate sensitive configuration files and error_log() to write a malicious PHP web shell. This chain of exploitation ultimately leads to information disclosure and full Remote Code Execution (RCE), granting the attacker complete control over the affected e-commerce platform.

The CVSSv3.1 score of 9.1 (Critical) underscores the severity. For defenders, this means a direct path to total compromise if an admin account is breached or misused. Patching to version 6.7.0 or later is the only definitive mitigation. Given the high impact, organizations running vulnerable CubeCart instances must prioritize this update immediately.

What This Means For You

  • If your organization uses CubeCart, you need to check your version immediately. An authenticated admin account is all an attacker needs to achieve full Remote Code Execution and compromise your entire e-commerce store. This isn't theoretical; the path to RCE is direct and well-defined by the vulnerability details. Patch to CubeCart version 6.7.0 or later without delay.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution T1071.001 Application Layer Protocol: Web Protocols Command and Control

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44377: CubeCart SSTI RCE via Smarty Template Injection

Sigma YAML — free preview 
title: CVE-2026-44377: CubeCart SSTI RCE via Smarty Template Injection
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-44377 by targeting the edit.inc.php script in CubeCart with a POST request containing a template parameter, indicative of Server-Side Template Injection (SSTI) aimed at achieving Remote Code Execution (RCE).
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44377/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin/sources/edit.inc.php'
      cs-uri-query|contains:
          - 'template=' 
      cs-method|exact: 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44377 RCE CubeCart < 6.7.0
CVE-2026-44377 Server-Side Template Injection CubeCart: Email Templates module
CVE-2026-44377 Server-Side Template Injection CubeCart: Documents module
CVE-2026-44377 Information Disclosure CubeCart: Smarty template engine unsafe evaluation leading to readgzfile()
CVE-2026-44377 Code Injection CubeCart: Smarty template engine unsafe evaluation leading to error_log() for web shell

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-32991: Team Member Privilege Escalation to Owner Account

CVE-2026-32991 — Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-29206: SQL Injection in sqloptimizer via Slow Query Logs

CVE-2026-29206 — Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 7 Sigma

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma