CVE-2026-45053

Source
https://cve.org/CVERecord?id=CVE-2026-45053
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45053.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45053
Aliases
  • GHSA-652f-8c88-25cx
Published
2026-05-13T20:42:08.152Z
Modified
2026-07-08T08:13:30.359809630Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API
Details

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they are executed by the web server. Combined with a path-traversal flaw in the same endpoint's filepath parameter, a single API request writes a webshell anywhere the webserver process can write — including the document root — yielding full Remote Code Execution. This vulnerability is fixed in 6.7.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45053.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-434"
    ]
}
References

Affected packages

Git / github.com/cubecart/v6

Affected ranges

Type
GIT
Repo
https://github.com/cubecart/v6
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.7.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2.*
2.6.7
6.*
6.0.0
6.0.0b1
6.0.0b2
6.0.0b3
6.0.0b4
6.0.0b5
6.0.0b6
6.0.0b7
6.0.1
6.0.10
6.0.11
6.0.12
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.8
6.0.9
6.1.0
6.1.1
6.1.10
6.1.11pr
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.2.0
6.2.0-b1
6.2.0-rc1
6.2.0-rc2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.8
6.2.9
6.4.0
6.4.0-b1
6.4.0-b2
6.4.1
6.4.10
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
6.4.9
6.5.0
6.5.1
6.5.10
6.5.11
6.5.12
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.8
6.5.9
6.6.0
6.6.1
6.6.2
6.6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45053.json"