CVE-2026-45708 Overview
CVE-2026-45708 is a PHP code injection vulnerability in CubeCart, an open-source ecommerce platform. Versions prior to 6.7.3 allow an administrator with documents edit permission to embed raw <?php ... ?> payloads into the Invoice Editor. When any admin later clicks Print on an order, CubeCart writes the rendered template to files/print.<md5>.php. The shipped files/.htaccess contains an explicit <Files print.*.php> allow-from-all carve-out, exposing the file to unauthenticated visitors who can trigger code execution. The issue is fixed in CubeCart 6.7.3 and is tracked under [CWE-94].
Critical Impact
Authenticated administrators can plant PHP web shells reachable by unauthenticated attackers, leading to full server compromise.
Affected Products
- CubeCart 6.x prior to 6.7.3
- CubeCart Invoice Editor (documents edit permission)
- CubeCart shipped files/.htaccess configuration
Discovery Timeline
- 2026-05-13 - CVE-2026-45708 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45708
Vulnerability Analysis
CubeCart's Invoice Editor accepts template content from administrators with the documents edit permission. The editor does not strip or escape PHP open tags before persisting the template. When an administrator clicks Print on any order, CubeCart renders the template and writes the output to files/print.<md5>.php on disk. Because the file carries a .php extension and resides under the web root, the server interprets any embedded PHP at request time.
The second half of the issue lives in the default files/.htaccess. CubeCart ships a deny-by-default policy for the files/ directory, then adds an explicit carve-out: <Files print.*.php> allow from all </Files>. This rule permits anonymous HTTP access to any file matching print.*.php, including the attacker-controlled artifact produced by the print action.
Chaining these behaviors yields unauthenticated remote code execution. The attacker still needs initial administrative access with documents edit permission, which is why the CVSS vector reports PR:H. However, the executed payload runs in the unauthenticated request context of any visitor that fetches the print file.
Root Cause
The root cause is improper neutralization of code within stored template data [CWE-94], compounded by an over-permissive .htaccess rule that exposes generated PHP files to the public web. CubeCart treats the Invoice Editor as trusted content but writes it to a server-executable location.
Attack Vector
An attacker who controls or compromises an admin account with documents edit permission saves a malicious invoice template containing raw PHP. Any subsequent Print action by any admin materializes the payload as files/print.<md5>.php. The attacker then requests that URL anonymously over the network to execute arbitrary PHP under the web server account.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-747j-4mmc-cj63 for the maintainer's technical write-up.
Detection Methods for CVE-2026-45708
Indicators of Compromise
- Presence of files matching files/print.*.php containing PHP tags, function calls such as system, exec, passthru, or eval, or base64-encoded blobs.
- Web server access logs showing unauthenticated GET requests to /files/print.<md5>.php from external IP addresses.
- Invoice or document templates in the CubeCart database containing <?php or <?= sequences.
- New or modified administrator accounts with documents edit permission preceding template changes.
Detection Strategies
- Hash and inventory all files under files/ and alert on any print.*.php artifact that contains executable PHP constructs.
- Inspect the CubeCart_documents table for template bodies containing PHP open tags or suspicious function names.
- Correlate admin Print actions in CubeCart audit logs with subsequent unauthenticated requests to the resulting file path.
Monitoring Recommendations
- Enable web server access logging and ship logs to a centralized analytics platform for retention and search.
- Monitor file integrity on the files/ directory and trigger on creation of any .php file.
- Track administrator authentication events and permission changes affecting documents edit rights.
How to Mitigate CVE-2026-45708
Immediate Actions Required
- Upgrade CubeCart to version 6.7.3 or later, which removes the unsafe template handling and .htaccess carve-out.
- Audit the files/ directory and delete any print.*.php artifacts that contain PHP code or unexpected content.
- Review administrator accounts and revoke documents edit permission from users who do not require it.
- Rotate administrator credentials and session tokens if compromise is suspected.
Patch Information
The vendor fixed the issue in CubeCart 6.7.3. See the CubeCart GitHub Security Advisory for the patch details and upgrade instructions.
Workarounds
- Remove the <Files print.*.php> allow from all </Files> block from files/.htaccess to prevent unauthenticated retrieval of generated print files.
- Configure the web server to refuse execution of PHP under the files/ directory using a php_flag engine off directive or an AddType text/plain .php override.
- Restrict access to the CubeCart admin panel by IP allowlist or VPN until the upgrade is applied.
# Apache override to disable PHP execution under files/
# Place in files/.htaccess (replaces the vulnerable carve-out)
<IfModule mod_php.c>
php_flag engine off
</IfModule>
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
AddType text/plain .php .phtml .php3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
