Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

cubecart — Vulnerabilities & Security Advisories 13

Browse all 13 CVE security advisories affecting cubecart. AI-powered Chinese analysis, POCs, and references for each vulnerability.

CubeCart is an open-source e-commerce platform enabling businesses to create and manage online stores. Historically, it has been susceptible to various vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and authentication flaws. The platform's 4 recorded CVEs highlight these security concerns, with some incidents allowing attackers to execute arbitrary code or gain unauthorized administrative access. Despite these issues, CubeCart remains a popular choice for small to medium-sized online retailers seeking a cost-effective solution, though users must remain vigilant about applying security patches and following hardening guidelines to mitigate risks.

Top products by cubecart: v6
UnknownGHSA-wpjx-g695-qc5j2026-05-22
GHSA-wpjx-g695-qc5j — block SSTI/RCE via dangerous PHP functions in t… · cubecart/v6@76d783c · GitHub
Critical2026-05-22
Authenticated Arbitrary File Upload to RCE in REST Files API · Advisory · cubecart/v6 · GitHub
Critical2026-05-22
Authenticated RCE via Invoice Template → Order Print · Advisory · cubecart/v6 · GitHub
High2026-05-22
Time-based Blind SQL Injection in CubeCart v6.x.x · Advisory · cubecart/v6 · GitHub
HighCVE-2026-45052026-05-22
Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header · Advisory · cubecart/v6 · GitHub
Medium2026-05-22
Reflected XSS in Store Search Bar · Advisory · cubecart/v6 · GitHub
Medium2026-05-22
Stored Cross-Site Scripting (XSS) in CubeCart v6.x.x · Advisory · cubecart/v6 · GitHub
CriticalCVE-2026-67142026-05-22
Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE · Advisory · cubecart/v6 · GitHub
Critical2026-05-22
Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE (New!) · Advisory · cubecart/v6 · GitHub
Critical2026-05-22
Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions Listing · Advisory · cubecart/v6 · GitHu
HighCVE-2025-594122025-09-24
CVE-2025-59412 - Patch · cubecart/v6@7d4bf59 · GitHub
Medium2025-09-24
Stored/Reflected HTML Injection in Contact Enquiry — Admin Receives Raw HTML · Advisory · cubecart/v6 · GitHub
HighCVE-2025-594112025-09-24
Merge commit from fork · cubecart/v6@48336c5 · GitHub
Medium2025-09-24
Unauthorized Victim Newsletter Unsubscription via force_unsubscribe Parameter · Advisory · cubecart/v6 · GitHub

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with cubecart. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.