CVE-2026-45714 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 14, 2026
CubeCart - Server-Side Template Injection
Overview
CubeCart < 6.7.0 contains an authenticated server-side template injection caused by unsafe evaluation of user input in Smarty templates without security policies, letting authenticated admin users execute arbitrary OS commands.
Severity & Score
Impact
Authenticated admin users can execute arbitrary operating system commands, potentially leading to full server compromise.
Mitigation
Upgrade to version 6.7.0 or later.
Social Media Activity(2 posts)
🚨 CRITICAL: CVE-2026-45714 in CubeCart < 6.7.0 enables authenticated admins to execute OS commands via SSTI (Smarty engine) — full RCE risk. Patch to 6.7.0+ ASAP! https://radar.offseq.com/threat/cve-2026-45714-cwe-94-improper-control-of-generati-b4219bcf #OffSeq #CubeCart #SSTI #RCE #Vuln
View original post
🚨 CRITICAL: CVE-2026-45714 in CubeCart < 6.7.0 enables authenticated admins to execute OS commands via SSTI (Smarty engine) — full RCE risk. Patch to 6.7.0+ ASAP! https://radar.offseq.com/threat/cve-2026-45714-cwe-94-improper-control-of-generati-b4219bcf #OffSeq #CubeCart #SSTI #RCE #Vuln
View original postRelated Resources
Details
- CVE ID
- CVE-2026-45714
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- template_injection
- Status
- rejected
- EPSS
- 4.4%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H