🚨 BREAKING

CubeCart RCE: Critical Flaw Exposes E-commerce Stores to Webshells

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-434
CubeCart RCE: Critical Flaw Exposes E-commerce Stores to Webshells

The National Vulnerability Database has disclosed a critical Remote Code Execution (RCE) vulnerability, CVE-2026-45053, affecting CubeCart e-commerce software versions prior to 6.7.0. This flaw resides in the REST API’s File Manager endpoint (POST /api/v1/files), allowing authenticated attackers with files:rw permissions to upload arbitrary PHP files.

Combined with a path-traversal vulnerability in the filepath parameter, this enables an attacker to write a webshell anywhere the web server process has write access, including the document root. This effectively grants full RCE capabilities, allowing attackers to compromise the entire e-commerce platform. The CVSS score is a staggering 9.1 (CRITICAL), underscoring the severity of this issue.

This isn’t just a theoretical bug; it’s a direct route to full system compromise. An attacker only needs an API key with specific file write permissions, which could be obtained through various means, including phishing or misconfiguration. Once a webshell is planted, sensitive customer data, payment information, and site integrity are all at risk. Defenders need to recognize that ‘authenticated’ does not mean ‘safe’ when combined with such a powerful arbitrary file upload.

What This Means For You

  • If your organization uses CubeCart, you must immediately verify your version. Patch to 6.7.0 without delay. Furthermore, audit your API keys and their assigned permissions, especially those with `files:rw` access. Revoke any unnecessary keys and rotate existing ones. Check web server logs for suspicious file uploads or access attempts to `images/source/` or other web-accessible directories.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1047 Windows Management Instrumentation Execution T1505.003 Server Software Component: Web Shell Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CubeCart RCE via Arbitrary File Upload - Webshell Upload - CVE-2026-45053

Sigma YAML — free preview 
title: CubeCart RCE via Arbitrary File Upload - Webshell Upload - CVE-2026-45053
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the specific CubeCart API endpoint used for arbitrary file uploads (POST /api/v1/files) when a PHP file is uploaded to the 'images/source/' directory. This is the primary indicator of the CVE-2026-45053 vulnerability being exploited to upload a webshell.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45053/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri:
          - '/api/v1/files'
      sc-status:
          - '200'
      uri|contains:
          - 'images/source/'
  selection_indicators:
      uri|contains:
          - '.php'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45053 RCE CubeCart < 6.7.0
CVE-2026-45053 Authenticated Arbitrary File Upload CubeCart REST API File Manager endpoint (POST /api/v1/files)
CVE-2026-45053 Path Traversal CubeCart REST API File Manager endpoint filepath parameter
CVE-2026-45053 Misconfiguration CubeCart API key with files:rw permission allows PHP file upload to web-accessible directory

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma

Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak

CVE-2026-44478 — hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking...

vulnerabilityCVEhigh-severitycwe-284cwe-287
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

CVE-2026-44471 — gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out...

vulnerabilityCVEhigh-severitycwe-59
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma