External risk intelligence

CubeCart store could be taken over by attackers due to file upload flaw

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45053

CubeCart's e-commerce stores are vulnerable to takeover via a critical file upload flaw in its API. Attackers can execute code on your server, potentially stealing data or gaining full control. This affects all versions prior to 6.7.0.

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-45053

CubeCart is an e-commerce platform consistently deployed as an internet-facing web application. The vulnerable REST API endpoint is a core feature of the software and is commonly exposed to the internet to support business integrations and functionality, making it a likely target for external reachability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated arbitrary file upload vulnerability in CubeCart's REST API allows for the execution of malicious code on the server. This means an attacker could potentially take complete control of your e-commerce platform.

  • This could lead to data theft.
  • It impacts all CubeCart versions before 6.7.0.
  • The vulnerability is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An attacker with an API key possessing "files:rw" permissions can exploit this vulnerability to upload a webshell. By chaining a path traversal flaw with the file upload capability, they can place this webshell in a web-accessible directory, enabling remote code execution on the server.

  • Requires API key with specific permissions.
  • Targets REST API file manager endpoint.
  • Uploads PHP webshell for RCE.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for authenticated arbitrary file upload, leading to remote code execution, which is highly attractive to attackers. The flaw specifically targets an e-commerce platform, CubeCart, and permits writing webshells anywhere the webserver process has write access, including the document root. While the exploit requires an API key with specific permissions, the direct path to full system compromise makes it a significant threat once an attacker gains initial access.

  • Remote code execution potential is high.
  • Exploitation requires authenticated access.
  • Fix is available in version 6.7.0.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize blocking access to the affected REST API endpoint and immediately investigate any authenticated users or API keys with `files:rw` permissions. Given the critical nature of this vulnerability allowing for remote code execution, if evidence of exploitation or a high likelihood of compromise is found, affected services must be taken offline or isolated until CubeCart is updated to version 6.7.0 or later.

  • Block network access to the API.
  • Update CubeCart to 6.7.0.
  • Monitor logs for unusual file uploads.

Frequently asked questions

What is CubeCart and what is its purpose?

CubeCart is an e-commerce software solution designed to power online stores. It provides businesses with the necessary tools and a framework to sell products and manage their online sales operations effectively.

How does the CVE-2026-45053 vulnerability lead to remote code execution?

This vulnerability is classified as an authenticated arbitrary file upload weakness. An attacker with specific API key permissions can upload a malicious PHP file via the REST API. This, combined with a path traversal flaw, allows the file to be placed in a web-accessible location, enabling the attacker to execute code on the server.

What specific weakness class is associated with CVE-2026-45053?

CVE-2026-45053 is associated with the weakness class CWE-434, which refers to uncontrolled toplevel resource access.

What is the significance of this vulnerability for CubeCart users?

This vulnerability allows an attacker with specific API key permissions to upload a webshell and execute remote code. By chaining a path traversal flaw, the webshell can be placed in a web-accessible directory, potentially leading to complete control over the e-commerce platform and the possibility of data theft. The Halo Surface Signal indicates this is a likely threat due to CubeCart's common internet-facing deployment.

What is the recommended action to mitigate CVE-2026-45053?

The recommended action is to update CubeCart to version 6.7.0 or later. Additionally, teams should consider blocking network access to the affected REST API endpoint and monitoring logs for any unusual file uploads. Isolating or taking affected services offline until updated may be necessary if exploitation is suspected or highly likely.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified