CVE-2026-45708

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.3

Description An administrator with documents edit permission can save raw PHP code into the Invoice Editor. When any administrator clicks Print on an order, the rendered template is written to files/print.<md5>.php. Due to an explicit carve-out in the files/.htaccess file that allows all access to print.*.php files, the file can be fetched and executed by any unauthenticated visitor.

Recommendations Update to version 6.7.3.