🚨 BREAKING

CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-94cwe-1336
CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection

The National Vulnerability Database has detailed CVE-2026-45714, a critical Server-Side Template Injection (SSTI) vulnerability in CubeCart, an e-commerce software solution. This flaw, present in versions prior to 6.7.0, allows authenticated administrative users to achieve arbitrary operating system command execution (RCE) on the server. The vulnerability stems from CubeCart’s unsafe evaluation of user-supplied input across multiple modules—including Email Templates, Invoices, Documents, and Contact Forms—without enforcing Smarty Security Policies.

This is a significant issue for any organization running vulnerable CubeCart instances. An attacker who gains administrative credentials, whether through phishing, brute-force, or another exploit, can leverage this SSTI to compromise the entire server. Given the CVSS score of 9.1 (Critical), the impact is severe: full confidentiality, integrity, and availability compromise of the underlying system.

Defenders must prioritize patching CubeCart installations to version 6.7.0 or newer. Beyond patching, organizations should implement strict access controls for administrative interfaces, enforce multi-factor authentication (MFA) for all admin accounts, and regularly audit logs for unusual activity or unauthorized access attempts to administrative panels. The attacker’s calculus here is clear: once they have admin access, this vulnerability provides a direct path to full system control, making it a high-value target.

What This Means For You

  • If your organization uses CubeCart, you must immediately verify your version. Prior to 6.7.0, an authenticated admin user can execute arbitrary code on your server. Patch to CubeCart 6.7.0 or newer without delay and review admin account activity for any suspicious behavior.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1505.003 Server Software Component: Web Shell Persistence

🛡️ Detection Rules

7 rules · 6 SIEM formats

7 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-45714

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-45714
id: scw-2026-05-13-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-45714 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45714/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-45714

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45714 RCE CubeCart ecommerce software
CVE-2026-45714 Server-Side Template Injection CubeCart versions prior to 6.7.0
CVE-2026-45714 Server-Side Template Injection Vulnerable modules: Email Templates, Invoices, Documents, Contact Forms
CVE-2026-45714 Server-Side Template Injection Smarty template engine without security policies
CVE-2026-45714 Privilege Escalation Authenticated administrative user

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma

Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak

CVE-2026-44478 — hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking...

vulnerabilityCVEhigh-severitycwe-284cwe-287
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

CVE-2026-44471 — gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out...

vulnerabilityCVEhigh-severitycwe-59
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma