CubeCart <= 6.5.4 is vulnerable to an arbitrary file upload that leads to remote code execution (RCE).
CVE-2024-33438 CubeCart <= 654 is vulnerable to an arbitrary file upload that leads to remote code execution (RCE)
File Upload vulnerability in CubeCart prior to 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.