CVE-2026-45714

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0

Description An Authenticated Server-Side Template Injection (SSTI) exists in multiple modules, including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows an authenticated user with administrative privileges to execute arbitrary operating system commands (Remote Code Execution) on the server.

Recommendations Update to version 6.7.0.