CVE-2026-44377

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0

Description An Authenticated Server-Side Template Injection (SSTI) exists in multiple modules, including Email Templates and Documents. The application unsafely evaluates user-supplied input through the Smarty template engine. An authenticated attacker with administrative privileges can bypass restrictions to call native PHP functions within templates, such as readgzfile() to read sensitive configuration files or error log() to write a malicious PHP web shell, leading to Information Disclosure and Remote Code Execution (RCE).

Recommendations Update to version 6.7.0.