CVE-2026-44377: CubeCart Authenticated SSTI via Smarty Engine

Executive Summary

A critical authenticated Server-Side Template Injection (SSTI) vulnerability has been disclosed in CubeCart, a widely used open-source e-commerce platform. Tracked as CVE-2026-44377 with a CVSS score of 9.1 (Critical), the flaw exists in multiple modules — including Email Templates and Documents — where user-supplied input is unsafely evaluated through the Smarty template engine. An authenticated attacker with API key access can achieve remote code execution on the underlying server.

Fixed in: CubeCart 6.7.0

Vulnerability Overview

Root Cause

The vulnerability arises because CubeCart passes user-controlled template content directly to the Smarty templating engine without sanitization or sandboxing. Smarty's template language supports function calls and PHP code execution in certain configurations, allowing an attacker to craft payloads that execute arbitrary system commands.

Attribute	Value
CVE ID	CVE-2026-44377
CVSS Score	9.1 (Critical)
CWE	CWE-94 — Improper Control of Code Generation
Type	Authenticated Server-Side Template Injection
Attack Vector	Network
Authentication	Required (API key or admin session)
Privileges Required	Low
User Interaction	None

Affected Components

Email Templates module
Documents module
Any other CubeCart module that passes user input to the Smarty renderer

Affected Versions

Product	Affected	Fixed
CubeCart	< 6.7.0	6.7.0

Technical Details

How SSTI Works in Smarty

Smarty templates support directives enclosed in { and } delimiters. Depending on the Smarty configuration ({php} tags, {fetch}, custom modifiers), attackers can escalate from template manipulation to OS command execution.

A typical SSTI payload targeting Smarty might look like:

{system('id')}

Or using the {fetch} directive to read arbitrary files, or chaining Smarty plugins for code execution. In CubeCart's default configuration, the Smarty security sandbox is insufficiently configured, allowing these payloads to evaluate.

Attack Scenario

Attacker obtains an API key with write access (or gains authenticated admin access)
Attacker navigates to Email Templates or Documents in the CubeCart admin panel
A crafted Smarty payload is inserted into a template field
When the template is rendered — either by triggering an email or previewing a document — the payload executes on the server
Attacker achieves Remote Code Execution, potentially escalating to full server compromise

Impact Assessment

Severity Factors

CVSS 9.1 — Near-maximum critical rating
Code execution as the web server user, potentially root in misconfigured environments
Persistence — Attacker can write webshells or modify application files
Data exfiltration — Database credentials, customer PII, payment records accessible
Supply chain risk — E-commerce platforms have high-value targets (card data, credentials)

Who Is at Risk

Any organization running CubeCart prior to version 6.7.0 where:

Admin panel is accessible (even via internal network)
API keys have been issued with template editing permissions
Multi-tenant or managed hosting environments where users can edit templates

Remediation

Immediate Action

Upgrade to CubeCart 6.7.0 which disables or sandboxes the unsafe Smarty evaluation paths.

# Download and apply the 6.7.0 update via CubeCart admin
# Admin Panel > Store Settings > Check for Updates

If Immediate Patching Is Not Possible

Restrict admin panel access to trusted IP ranges via firewall rules or .htaccess
Audit API keys — Revoke any keys with templates:rw or broad write permissions
Disable Email Template editing for non-administrator users
Enable Smarty security mode manually in conf/config.inc.php if possible
Monitor template edit events in application logs for unusual Smarty syntax

Smarty Security Hardening (Workaround)

In Smarty 4.x, security policies can be enforced:

$security = new Smarty_Security($smarty);
$security->php_functions = [];
$security->php_handling = Smarty::PHP_REMOVE;
$security->modifiers = [];
$smarty->enableSecurity($security);

Applying this configuration as a temporary measure can neutralize SSTI payloads until the patch is applied.

Detection

Log Indicators

Look for template content containing Smarty syntax payloads in HTTP request bodies:

{system(  {php}  {fetch file=  {$smarty.template_object

File Integrity

After patching, verify no webshells were dropped in the web root:

find /path/to/cubecart -name "*.php" -newer /path/to/cubecart/index.php

Key Takeaways

CVSS 9.1 — Authenticated SSTI leading to Remote Code Execution
Multiple modules affected — Email Templates and Documents at minimum
Upgrade to CubeCart 6.7.0 immediately
Restrict API key permissions while awaiting patch deployment
Audit for compromise — Check for webshells and unauthorized file changes

References

Executive Summary

Fixed in: CubeCart 6.7.0

Vulnerability Overview

Root Cause

Attribute	Value
CVE ID	CVE-2026-44377
CVSS Score	9.1 (Critical)
CWE	CWE-94 — Improper Control of Code Generation
Type	Authenticated Server-Side Template Injection
Attack Vector	Network
Authentication	Required (API key or admin session)
Privileges Required	Low
User Interaction	None

Affected Components

Email Templates module
Documents module
Any other CubeCart module that passes user input to the Smarty renderer

Affected Versions

Product	Affected	Fixed
CubeCart	< 6.7.0	6.7.0

Technical Details

How SSTI Works in Smarty

A typical SSTI payload targeting Smarty might look like:

{system('id')}

Attack Scenario

Attacker obtains an API key with write access (or gains authenticated admin access)
Attacker navigates to Email Templates or Documents in the CubeCart admin panel
A crafted Smarty payload is inserted into a template field
When the template is rendered — either by triggering an email or previewing a document — the payload executes on the server
Attacker achieves Remote Code Execution, potentially escalating to full server compromise

Impact Assessment

Severity Factors

CVSS 9.1 — Near-maximum critical rating
Code execution as the web server user, potentially root in misconfigured environments
Persistence — Attacker can write webshells or modify application files
Data exfiltration — Database credentials, customer PII, payment records accessible
Supply chain risk — E-commerce platforms have high-value targets (card data, credentials)

Who Is at Risk

Any organization running CubeCart prior to version 6.7.0 where:

Admin panel is accessible (even via internal network)
API keys have been issued with template editing permissions
Multi-tenant or managed hosting environments where users can edit templates

Remediation

Immediate Action

Upgrade to CubeCart 6.7.0 which disables or sandboxes the unsafe Smarty evaluation paths.

# Download and apply the 6.7.0 update via CubeCart admin
# Admin Panel > Store Settings > Check for Updates

If Immediate Patching Is Not Possible

Restrict admin panel access to trusted IP ranges via firewall rules or .htaccess
Audit API keys — Revoke any keys with templates:rw or broad write permissions
Disable Email Template editing for non-administrator users
Enable Smarty security mode manually in conf/config.inc.php if possible
Monitor template edit events in application logs for unusual Smarty syntax

Smarty Security Hardening (Workaround)

In Smarty 4.x, security policies can be enforced:

$security = new Smarty_Security($smarty);
$security->php_functions = [];
$security->php_handling = Smarty::PHP_REMOVE;
$security->modifiers = [];
$smarty->enableSecurity($security);

Applying this configuration as a temporary measure can neutralize SSTI payloads until the patch is applied.

Detection

Log Indicators

Look for template content containing Smarty syntax payloads in HTTP request bodies:

{system(  {php}  {fetch file=  {$smarty.template_object

File Integrity

After patching, verify no webshells were dropped in the web root:

find /path/to/cubecart -name "*.php" -newer /path/to/cubecart/index.php

Key Takeaways

CVSS 9.1 — Authenticated SSTI leading to Remote Code Execution
Multiple modules affected — Email Templates and Documents at minimum
Upgrade to CubeCart 6.7.0 immediately
Restrict API key permissions while awaiting patch deployment
Audit for compromise — Check for webshells and unauthorized file changes

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Affected Components

Affected Versions

Technical Details

How SSTI Works in Smarty

Attack Scenario

Impact Assessment

Severity Factors

Who Is at Risk

Remediation

Immediate Action

If Immediate Patching Is Not Possible

Smarty Security Hardening (Workaround)

Detection

Log Indicators

File Integrity

Key Takeaways

References

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Affected Components

Affected Versions

Technical Details

How SSTI Works in Smarty

Attack Scenario

Impact Assessment

Severity Factors

Who Is at Risk

Remediation

Immediate Action

If Immediate Patching Is Not Possible

Smarty Security Hardening (Workaround)

Detection

Log Indicators

File Integrity

Key Takeaways

References