CVE-2026-45053 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 14, 2026
CubeCart - Arbitrary File Upload
Published: May 13, 2026Updated: May 14, 2026Remote Exploitable
Overview
CubeCart < 6.7.0 contains an authenticated arbitrary file upload caused by insufficient validation in the REST API File Manager endpoint, letting attackers with files:rw API key upload and execute PHP files remotely, exploit requires valid API key with files:rw permission.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers with API key can upload and execute arbitrary PHP code remotely, leading to full remote code execution and server compromise.
Mitigation
Update to version 6.7.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-45053
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- unrestricted_file_upload
- Status
- rejected
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H