Home / Vulnerability Intelligence / CVE-2026-45055

CVE-2026-45055 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 14, 2026

CubeCart - Authentication Bypass

Published: May 13, 2026Updated: May 14, 2026Remote Exploitable

Overview

CubeCart 6.6.x – 6.7.1 contains an open redirect caused by building CC_STORE_URL from the Host header without allowlist, letting unauthenticated attackers perform account takeover via crafted password-reset links, exploit requires attacker to know target email.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Unauthenticated attackers can take over user or admin accounts by exploiting password reset links, leading to full account or store compromise.

Mitigation

Upgrade to version 6.7.2 or later.

References

https://github.com/cubecart/v6/security/advisories/GHSA-7pvc-gxc4-chmc

Related Resources

Details

CVE ID: CVE-2026-45055
Severity: High
CVSS Score: 8.1
Type: broken_authentication
Status: rejected

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N