CVE Catalog

CVE-2026-45053

Critical
Published: Translated: NVD NIST

Summary

CubeCart prior to version 6.7.0 contained an Authenticated Arbitrary File Upload vulnerability in the REST API File Manager endpoint. This allows any holder of an API key with files:rw permission to upload PHP files to the images/source/ directory, where they are executed by the web server.

Risk Assessment

This vulnerability can lead to Remote Code Execution, posing a serious threat to the security of the system and the organization's data. An attacker could gain full control over the server, potentially resulting in data loss or privacy breaches.

Recommendation

It is recommended to upgrade CubeCart to version 6.7.0 or later to mitigate this vulnerability. Additionally, access to the API should be restricted to trusted users, and server logs should be monitored for unauthorized activities.

Original NVD description (English source)

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they are executed by the web server. Combined with a path-traversal flaw in the same endpoint's filepath parameter, a single API request writes a webshell anywhere the webserver process can write — including the document root — yielding full Remote Code Execution. This vulnerability is fixed in 6.7.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS