The SecurityCubeCart is an open-source e-commerce solution that has two critical security vulnerabilities, CVE-2018-20716 and another one which allows an attacker to circumvent the authentication mechanism required to login as an administrator. The first vulnerability can be exploited through CubeCarts "I forgot my Password!" functionality by using a valid password reset token which is not present in the expected format, allowing an attacker to execute arbitrary code on the web server and steal all sensitive files and data. The second vulnerability is related to the `where()` method of the database class which introduces search modifiers that can be abused to bypass the authentication mechanism by prefixing a tilde character to the password reset token and using wildcard characters, resulting in an almost always true condition in the SQL query. Both vulnerabilities were reported to the vendor in October 2017 and fixed versions were released shortly after.