CVE-2026-45714
CriticalSummary
CubeCart prior to version 6.7.0 has an Authenticated Server-Side Template Injection (SSTI) vulnerability in multiple modules, including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input, allowing authenticated users with administrative privileges to execute arbitrary operating system commands.
Risk Assessment
This vulnerability poses a serious risk to server security, allowing attackers with administrative access to execute arbitrary system commands, potentially leading to full system compromise.
Recommendation
It is recommended to upgrade CubeCart to version 6.7.0 or later to mitigate this vulnerability and to implement Smarty Security Policies to secure input processing.
Original NVD description (English source)
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.

