CVE-2026-45053

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0

Description An authenticated arbitrary file upload and path traversal issue exists in the REST API File Manager endpoint "POST /api/v1/files". Users possessing an API key with files:rw permission can upload PHP source files to the web-accessible images/source/ directory. By exploiting a path traversal flaw in the filepath parameter, an attacker can write a webshell to any location accessible by the webserver process, such as the document root, resulting in remote code execution.

Recommendations Update to version 6.7.0.