{"id":"CVE-2026-45055","summary":"CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header","details":"CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordRequest()). An unauthenticated attacker who knows a target email can POST /index.php?_a=recover with Host: evil.com; CubeCart writes a fresh verify token (valid 3,600 s) and emails the victim a link http://evil.com/index.php?_a=recovery&validate=\u003cTOKEN\u003e. The token is valid against the legitimate store — capturing the victim's click on evil.com yields full account takeover, or store takeover when an admin email is targeted. This vulnerability is fixed in 6.7.2.","aliases":["GHSA-7pvc-gxc4-chmc"],"modified":"2026-07-15T01:48:53.035791350Z","published":"2026-05-13T20:44:54.465Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45055.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-20","CWE-345","CWE-601","CWE-784"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45055.json"},{"type":"ADVISORY","url":"https://github.com/cubecart/v6/security/advisories/GHSA-7pvc-gxc4-chmc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45055"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cubecart/v6","events":[{"introduced":"0"},{"fixed":"60e000e5cbaae9539521349cb9a58c6d3390b098"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"6.7.2"}],"source":"AFFECTED_FIELD"}}],"versions":["6.7.1","6.7.0","6.6.3","6.6.2","6.6.1","6.6.0","6.5.12","6.5.11","6.5.10","6.5.9","6.5.8","6.5.6","6.5.5","6.5.4","6.5.3","6.5.2","6.5.1","6.5.0","6.4.10","6.4.9","6.4.8","6.4.7","6.4.6","6.4.5","6.4.4","6.4.3","6.4.2","6.4.1","6.4.0","6.4.0-b2","6.4.0-b1","6.2.9","6.2.8","2.6.7","6.2.6","6.2.5","6.2.4","6.2.3","6.2.2","6.2.1","6.2.0","6.2.0-rc2","6.2.0-rc1","6.2.0-b1","6.1.11pr","6.1.10","6.1.9","6.1.8","6.1.7","6.1.6","6.1.5","6.1.4","6.1.3","6.1.2","6.1.1","6.1.0","6.0.12","6.0.11","6.0.10","6.0.9","6.0.8","6.0.6","6.0.5","6.0.4","6.0.3","6.0.2","6.0.1","6.0.0","6.0.0b7","6.0.0b6","6.0.0b5","6.0.0b4","6.0.0b3","6.0.0b2","6.0.0b1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45055.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}