CVE-2026-44377 Overview
CVE-2026-44377 is a Server-Side Template Injection (SSTI) vulnerability in CubeCart, an open-source ecommerce platform. The flaw affects all versions prior to 6.7.0 and is tracked under [CWE-94] Improper Control of Generation of Code. Multiple administrative modules, including Email Templates and Documents, pass user-supplied input directly to the Smarty template engine without adequate sanitization. An authenticated attacker with administrative privileges can bypass existing restrictions and invoke native PHP functions from within templates. Successful exploitation leads to information disclosure and full Remote Code Execution (RCE) on the underlying web server. The issue is fixed in CubeCart 6.7.0.
Critical Impact
Authenticated administrators can execute arbitrary PHP code on the host through Smarty template injection, resulting in full server compromise.
Affected Products
- CubeCart versions prior to 6.7.0
- CubeCart Email Templates module
- CubeCart Documents module
Discovery Timeline
- 2026-05-13 - CVE-2026-44377 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44377
Vulnerability Analysis
The vulnerability stems from unsafe evaluation of administrator-supplied content by the Smarty template engine. CubeCart uses Smarty to render dynamic content for email templates and document layouts. Inputs from these modules reach the template compiler without escaping or restricting Smarty's PHP function call surface. Attackers craft template directives that resolve to native PHP function calls during render. This converts a content-management feature into a code execution primitive within the web application context.
Root Cause
The root cause is improper input neutralization in the template compilation path [CWE-94]. CubeCart trusts administrative input and disables or fails to enforce Smarty's security policy that normally restricts PHP function invocation. Because the engine evaluates expressions on the server, any unsanitized template token becomes executable code. The fix in version 6.7.0 constrains the functions and modifiers callable from template contexts.
Attack Vector
Exploitation requires authenticated access with administrative privileges to the CubeCart admin panel. The attacker edits an Email Template or Document and embeds a Smarty expression that invokes PHP functions. Calls to readgzfile() can leak global.inc.php or other configuration files containing database credentials. Calls to error_log() with mode 3 can write attacker-controlled bytes to a .php path under the webroot, creating a persistent web shell. Triggering preview or send actions renders the template and executes the embedded payload. Refer to the GitHub Security Advisory GHSA-wpjx-g695-qc5j for technical details.
Detection Methods for CVE-2026-44377
Indicators of Compromise
- Unexpected .php files written under the CubeCart webroot, particularly in template, cache, or upload directories.
- Web server process spawning shells or invoking outbound network connections from PHP-FPM or Apache.
- Modifications to Email Template or Document records containing Smarty tokens referencing readgzfile, error_log, file_put_contents, or system.
- Access to sensitive paths such as includes/global.inc.php from the admin session.
Detection Strategies
- Inspect the CubeCart database tables backing email templates and documents for Smarty syntax containing PHP function names.
- Monitor PHP error and access logs for renders of admin template editor endpoints followed by anomalous file writes.
- Correlate administrative logins with subsequent file system changes in the CubeCart installation directory.
Monitoring Recommendations
- Enable file integrity monitoring on the CubeCart application directory and alert on new or modified .php files.
- Forward web server, PHP, and CubeCart admin audit logs to a centralized analytics platform for correlation.
- Alert on web server processes spawning child processes such as sh, bash, python, or perl.
How to Mitigate CVE-2026-44377
Immediate Actions Required
- Upgrade CubeCart to version 6.7.0 or later on all production and staging stores.
- Rotate database credentials, admin passwords, and API keys stored in global.inc.php after patching.
- Audit recent changes to Email Templates and Documents and revert any unauthorized modifications.
- Review the webroot for unknown .php files and remove confirmed web shells.
Patch Information
CubeCart 6.7.0 addresses the issue by restricting unsafe PHP function calls from the Smarty template context. See the upstream fix in the GitHub Commit 76d783c and the GitHub Security Advisory GHSA-wpjx-g695-qc5j.
Workarounds
- Restrict admin panel access to trusted IP ranges using web server ACLs or a reverse proxy.
- Enforce strong authentication and multi-factor authentication for all CubeCart administrative accounts.
- Reduce the number of accounts granted administrative privileges until the upgrade is complete.
- Run the PHP process under a least-privileged user without write access to the webroot where feasible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
