Home / Vulnerability Intelligence / CVE-2026-44377

CVE-2026-44377 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 14, 2026

CubeCart - Server-Side Template Injection

Published: May 13, 2026Updated: May 14, 2026Remote Exploitable

Overview

CubeCart < 6.7.0 contains an authenticated server-side template injection caused by unsafe evaluation of user input in Smarty templates, letting authenticated admin attackers achieve information disclosure and remote code execution.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Authenticated admin attackers can execute arbitrary PHP code and disclose sensitive information, leading to full system compromise.

Mitigation

Upgrade to version 6.7.0 or later.

References

https://github.com/cubecart/v6/commit/76d783c8c4d87a8a90dbfef1344a2733e7c6434c
https://github.com/cubecart/v6/security/advisories/GHSA-wpjx-g695-qc5j

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-44377
Severity: Critical
CVSS Score: 9.1
Type: template_injection
Status: rejected

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H