CVE-2024-33438

HIGH

CubeCart < 6.5.5 - Authenticated Arbitrary Code Execution via PHAR File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-33438. PoCs published by julio-cfa.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2024-33438, which leverages an arbitrary file upload vulnerability in CubeCart's file manager to achieve remote code execution (RCE). The exploit automates authentication, CSRF token extraction, and uploads a malicious .phar file to execute arbitrary commands.

Description

File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.

Exploits (1)

nomisec WORKING POC 3 stars
by julio-cfa · poc
https://github.com/julio-cfa/CVE-2024-33438

The repository contains a functional Python exploit for CVE-2024-33438, which leverages an arbitrary file upload vulnerability in CubeCart's file manager to achieve remote code execution (RCE). The exploit automates authentication, CSRF token extraction, and uploads a malicious .phar file to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CubeCart <= 6.5.4
Auth required
Prerequisites: Valid admin credentials · Access to the admin panel URL
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.0
EPSS 0.0112
EPSS Percentile 61.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
cubecart/cubecart < 6.5.5
Published Apr 29, 2024
Tracked Since Feb 18, 2026