{"id":"CVE-2026-45053","summary":"CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API","details":"CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the web-accessible images/source/ directory, where they are executed by the web server. Combined with a path-traversal flaw in the same endpoint's filepath parameter, a single API request writes a webshell anywhere the webserver process can write — including the document root — yielding full Remote Code Execution. This vulnerability is fixed in 6.7.0.","aliases":["GHSA-652f-8c88-25cx"],"modified":"2026-07-08T08:13:30.359809630Z","published":"2026-05-13T20:42:08.152Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45053.json","cwe_ids":["CWE-434"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45053.json"},{"type":"ADVISORY","url":"https://github.com/cubecart/v6/security/advisories/GHSA-652f-8c88-25cx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45053"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cubecart/v6","events":[{"introduced":"0"},{"fixed":"0b5a6d0f1872e634d4b0e30c08f2ec9ba19fd9b5"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"6.7.0"}]}}],"versions":["6.6.3","6.6.2","6.6.1","6.6.0","6.5.12","6.5.11","6.5.10","6.5.9","6.5.8","6.5.6","6.5.5","6.5.4","6.5.3","6.5.2","6.5.1","6.5.0","6.4.10","6.4.9","6.4.8","6.4.7","6.4.6","6.4.5","6.4.4","6.4.3","6.4.2","6.4.1","6.4.0","6.4.0-b2","6.4.0-b1","6.2.9","6.2.8","2.6.7","6.2.6","6.2.5","6.2.4","6.2.3","6.2.2","6.2.1","6.2.0","6.2.0-rc2","6.2.0-rc1","6.2.0-b1","6.1.11pr","6.1.10","6.1.9","6.1.8","6.1.7","6.1.6","6.1.5","6.1.4","6.1.3","6.1.2","6.1.1","6.1.0","6.0.12","6.0.11","6.0.10","6.0.9","6.0.8","6.0.6","6.0.5","6.0.4","6.0.3","6.0.2","6.0.1","6.0.0","6.0.0b7","6.0.0b6","6.0.0b5","6.0.0b4","6.0.0b3","6.0.0b2","6.0.0b1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45053.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}