CVE-2026-45053CRITICAL 9.1EPSS p43.3%

CVE-2026-45053CVE-2026-45053

Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they are executed by the web server. Combined with a path-traversal flaw in the same endpoint's filepath parameter, a single API request writes a webshell anywhere the webserver process can write — including the document root — yielding full Remote Code Execution. This vulnerability is fixed in 6.7.0.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 43.3% · 2026-06-18T12:00:27Z
Published2026-05-13
Last modified2026-05-15

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/cubecart/v6/security/advisories/GHSA-652f-8c88-25cx
  2. https://github.com/cubecart/v6/security/advisories/GHSA-652f-8c88-25cx

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44377
CVE
CVE-2026-45714
CVE
CVE-2026-34018
CVE
CVE-2026-45055
CVE
CVE-2026-44376
CVE
CVE-2025-4387
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.