|
771
|
9.1 |
CRITICAL
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and …
New
|
CWE-94
CWE-1336
Code Injection
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-44377
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
772
|
4.9 |
MEDIUM
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-con…
New
|
CWE-89
SQL Injection
|
CVE-2026-45054
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
773
|
8.1 |
HIGH
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded …
New
|
CWE-20
CWE-345
CWE-601
CWE-784
Improper Input Validation
Insufficient Verification of Data Authenticity
Open Redirect
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
|
CVE-2026-45055
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
774
|
7.2 |
HIGH
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order,…
New
|
CWE-94
Code Injection
|
CVE-2026-45708
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
775
|
9.1 |
CRITICAL
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Inv…
New
|
CWE-94
CWE-1336
Code Injection
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-45714
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
776
|
8.3 |
HIGH
Network
|
-
|
-
|
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
New
|
CWE-93
CRLF Injection
|
CVE-2026-32993
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
777
|
8.1 |
HIGH
Network
|
-
|
-
|
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
New
|
CWE-89
SQL Injection
|
CVE-2026-29206
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
778
|
7.1 |
HIGH
Network
|
-
|
-
|
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-32991
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
779
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify commun…
New
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-41281
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
780
|
7.1 |
HIGH
Network
|
-
|
-
|
SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.
New
|
CWE-89
SQL Injection
|
CVE-2026-46445
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
