External risk intelligence

CubeCart could allow authenticated administrators to gain full control and read sensitive files.

CubeCart could allow an attacker with compromised administrative credentials to execute commands on the server, potentially exposing sensitive configuration files or leading to a full compromise of operational systems. No active exploitation has been observed at this time.

NVD published May 13, 2026 (2 days ago)

External risk briefCRITICAL

CVE-2026-44377

Halo Surface Signal

2/ 5

The vulnerability resides within the administrative interface of the ecommerce platform. While the web application is public-facing, the specific vulnerable functionality is restricted to authenticated administrative users. In typical deployments, these administrative surfaces are protected by authentication and access controls, rather than being openly exposed as a public-facing service.

Exposure facts

CVSS

9.1

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.15%

H – Horizon Alert

CubeCart contains a security vulnerability involving the way it processes user input within its template engine. This flaw could allow an authenticated administrator to bypass existing security restrictions and execute unauthorized commands on the underlying server. Ultimately, this may result in the disclosure of sensitive configuration files or a full compromise of the server, potentially allowing an attacker to take complete control of the application environment.

A – Asset Exposure

The CubeCart ecommerce platform, specifically its Email Templates and Documents modules, is affected by this vulnerability. Because this issue requires existing administrative privileges to exploit, it is not a direct exposure to general internet traffic. If an administrative account is compromised, an attacker could potentially gain access to sensitive configuration files or take control of operational systems through arbitrary code execution.

L – Live Threat

Currently, the available context does not indicate active exploitation or observed targeting related to this vulnerability. Because this issue requires an attacker to already possess administrative privileges to successfully execute commands, the potential for external, unauthenticated abuse is limited. We have no information suggesting the existence of public exploit code or in-the-wild activity at this time.

O – Operational Fix

Please coordinate with your IT or development team to apply the latest security update for the CubeCart platform. This update addresses the identified vulnerability within the template engine, ensuring that administrative controls remain secure and properly restricted. We recommend prioritizing this installation during your next scheduled maintenance window to maintain overall system integrity.