CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution

The National Vulnerability Database has detailed CVE-2026-45708, a critical remote code execution (RCE) vulnerability in CubeCart, an e-commerce software solution. This flaw, present in versions prior to 6.7.3, allows an authenticated administrator with document edit permissions to inject raw PHP code into the Invoice Editor. While this requires initial admin access, the subsequent execution chain is alarming.

Once the malicious PHP is saved, any admin clicking ‘Print’ on an order triggers the template rendering, writing the injected code to a file named print.<md5>.php within the files/ directory. Crucially, the .htaccess configuration explicitly permits unauthenticated access to print.*.php files. This means an unauthenticated attacker can then simply fetch this generated file, leading to arbitrary remote code execution on the server. The CVSS score of 7.2 (HIGH) reflects the severe impact and ease of exploitation once the initial condition is met.

For defenders, the key takeaway is clear: this is a supply chain risk through administrative compromise. An attacker first needs to gain high-level access to the CubeCart admin panel, but the RCE then allows for complete system takeover. This isn’t just a defacement; it’s a full compromise channel for e-commerce platforms, potentially exposing customer data, payment information, and allowing for persistent backdoor installation.

What This Means For You

  • If your organization uses CubeCart, you must immediately verify that all instances are patched to version 6.7.3 or higher. Prioritize this, as an attacker with admin credentials can escalate to full server compromise through this vulnerability. Audit your admin logs for suspicious activity, especially around invoice editing and template modifications, if you were running vulnerable versions.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CubeCart RCE via Invoice Editor - PHP Code Injection - CVE-2026-45708

Sigma YAML — free preview 
title: CubeCart RCE via Invoice Editor - PHP Code Injection - CVE-2026-45708
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the initial exploitation of CubeCart CVE-2026-45708. This rule looks for POST requests to the documents.php endpoint with parameters indicating an attempt to save raw PHP code into the invoice editor, which is the first step in achieving RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45708/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin/documents.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'action=save'
  selection_base:
      cs-uri-query|contains:
          - 'edit=invoice'
  selection_indicators:
      cs-uri-query|contains:
          - 'raw=1'
  condition: selection AND selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45708 RCE CubeCart ecommerce software
CVE-2026-45708 RCE CubeCart versions prior to 6.7.3
CVE-2026-45708 RCE Vulnerable component: Invoice Editor allows saving raw PHP
CVE-2026-45708 RCE Exploitation vector: files/print..php execution via .htaccess carve-out

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma

Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak

CVE-2026-44478 — hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking...

vulnerabilityCVEhigh-severitycwe-284cwe-287
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

CVE-2026-44471 — gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out...

vulnerabilityCVEhigh-severitycwe-59
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma