CVE-2026-45054

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0

Description The admin orders-transactions listing page at 'admin.php? g=orders&node=transactions' constructs a raw ORDER BY SQL fragment using the sort array from the $ GET variable without validating the column or direction. Because the sqlSafe() function only escapes quote characters, it does not prevent SQL injection in the ORDER BY clause. An authenticated administrator with the minimum CC PERM READ permission on orders can execute arbitrary SQL commands against the store database. This could lead to the time-based blind extraction of administrator password hashes, customer personally identifiable information (PII), and integrated payment-gateway credentials.

Recommendations Update to version 6.7.0.