Description
CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordRequest()). An unauthenticated attacker who knows a target email can POST /index.php?_a=recover with Host: evil.com; CubeCart writes a fresh verify token (valid 3,600 s) and emails the victim a link http://evil.com/index.php?_a=recovery&validate=<TOKEN>. The token is valid against the legitimate store — capturing the victim's click on evil.com yields full account takeover, or store takeover when an admin email is targeted. This vulnerability is fixed in 6.7.2.
Published: 2026-05-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CubeCart e‑commerce software built a constant store URL directly from the HTTP Host header without an allowlist. By sending an unauthenticated POST request with a malicious Host header, an attacker can cause the application to issue a new password‑reset verification token and embed the forged URL in an email sent to a known user. When the user clicks the link, the token is accepted by the legitimate store, giving the attacker control of that user’s account or even the entire store if an admin email is targeted. The flaw involves improper input validation and insecure use of the Host header, leading to a high‑severity compromise of confidentiality and integrity for affected accounts.

Affected Systems

CubeCart version 6.6.x through 6.7.1 released by the CubeCart vendor. The vulnerability is fixed in version 6.7.2; older builds are impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. There is no published EPSS score, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires only a crafted HTTP request and the knowledge of a target email address, the threat is significant and achievable without authentication, making mitigation a priority.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the store to CubeCart 6.7.2 or later to remove the vulnerable Host‑header usage.
  • If an upgrade is not immediately possible, configure the application or web server to reject or validate the Host header against a whitelist to prevent forged URLs from being generated.
  • Apply input validation on request headers to mitigate the underlying CWE‑20 flaw, ensuring that only approved hostnames are accepted for generating transactional email links.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cubecart
Cubecart cubecart
Vendors & Products Cubecart
Cubecart cubecart

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordRequest()). An unauthenticated attacker who knows a target email can POST /index.php?_a=recover with Host: evil.com; CubeCart writes a fresh verify token (valid 3,600 s) and emails the victim a link http://evil.com/index.php?_a=recovery&validate=<TOKEN>. The token is valid against the legitimate store — capturing the victim's click on evil.com yields full account takeover, or store takeover when an admin email is targeted. This vulnerability is fixed in 6.7.2.
Title CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header
Weaknesses CWE-20
CWE-345
CWE-601
CWE-784
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cubecart Cubecart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:53:08.617Z

Reserved: 2026-05-08T18:07:27.342Z

Link: CVE-2026-45055

cve-icon Vulnrichment

Updated: 2026-05-14T12:52:58.952Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T21:16:49.437

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-45055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:18Z

Weaknesses