Skip to main content

CubeCart CVE-2026-45055

| EUVD-2026-30172 HIGH
Improper Input Validation (CWE-20)
2026-05-13 GitHub_M
PHP Information Disclosure V6
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:52 vuln.today
Patch available
May 13, 2026 - 22:03 EUVD

DescriptionGitHub Advisory

CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x - 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordRequest()). An unauthenticated attacker who knows a target email can POST /index.php?_a=recover with Host: evil.com; CubeCart writes a fresh verify token (valid 3,600 s) and emails the victim a link http://evil.com/index.php?_a=recovery&validate=<TOKEN>. The token is valid against the legitimate store - capturing the victim's click on evil.com yields full account takeover, or store takeover when an admin email is targeted. This vulnerability is fixed in 6.7.2.

AnalysisAI

Account and store takeover in CubeCart 6.6.x through 6.7.1 is possible because the CC_STORE_URL constant is derived from the unvalidated Host header at bootstrap and embedded into password-reset emails. A remote unauthenticated attacker who knows a victim's email address can trigger a host-header poisoning attack that emails the user a reset link pointing at attacker-controlled infrastructure, capturing a valid 3,600-second token on click. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target store and admin/user email
Delivery
Send POST /index.php?_a=recover with spoofed Host header
Exploit
CubeCart issues valid token and emails poisoned reset link
Install
Victim clicks link to attacker-controlled host
C2
Attacker captures verify token from request log
Execute
Replay token against legitimate store
Impact
Reset password and take over account or full store
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the CubeCart instance accept and reflect arbitrary HTTP Host headers at bootstrap (the default behavior in 6.6.x-6.7.1 with no allowlist), that the attacker know a valid registered email address for the target store, and that the targeted user click the poisoned password-reset link within the 3,600-second token validity window (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward prioritization for any internet-facing CubeCart deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker harvests a customer or administrator email (from public order confirmations, leaked databases, or admin contact pages) and sends POST /index.php?_a=recover to the target store with a spoofed Host: evil.com header. CubeCart issues a real reset token tied to the victim's account but emails the victim a link of the form http://evil.com/index.php?_a=recovery&validate=<TOKEN>; when the victim clicks, the token lands on the attacker's server and can be replayed against the legitimate store to seize the account, with admin targeting yielding full store takeover. …
Remediation Vendor-released patch: upgrade to CubeCart 6.7.2 or later, as documented in GHSA-7pvc-gxc4-chmc (https://github.com/cubecart/v6/security/advisories/GHSA-7pvc-gxc4-chmc). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all CubeCart installations and identify those running versions 6.6.x through 6.7.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-45055 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy