無料スキャン

このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-45055CVSS 8.1

CVE-2026-45055: SSRF in CubeCart v6 Ecommerce Software

翻訳中…

プラットフォーム

php

コンポーネント

cubecart

修正版

6.7.2

NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-45055 is a Server-Side Request Forgery (SSRF) vulnerability affecting CubeCart v6 versions 6.6.0 through 6.7.1. An attacker can exploit this flaw to craft malicious password reset links, potentially leading to account takeover. The vulnerability stems from the improper handling of the Host header during bootstrap, which is then embedded directly into transactional email links. A fix is available in CubeCart version 6.7.2.

影響と攻撃シナリオ翻訳中…

The primary impact of this SSRF vulnerability lies in the ability of an unauthenticated attacker to manipulate password reset links. By crafting a malicious Host header, an attacker can redirect the password reset link to an attacker-controlled domain. When a user clicks this link, they are prompted to enter a new password on the attacker's site, effectively granting the attacker control of the user's account. This could lead to data theft, fraudulent transactions, or further compromise of the ecommerce platform. The vulnerability's impact is amplified by the fact that it targets a critical function – password recovery – which is often used by legitimate users, increasing the likelihood of exploitation. This attack pattern shares similarities with other SSRF-based phishing campaigns, where attackers leverage trusted domains to trick users into divulging credentials.

悪用の状況翻訳中…

CVE-2026-45055 was published on May 13, 2026. Currently, there are no public exploit code or active campaigns targeting this vulnerability. The CVSS score of 8.1 (HIGH) indicates a significant risk, and it is likely to be added to KEV (Known Exploited Vulnerabilities) lists if exploitation becomes widespread. Monitor security advisories and threat intelligence feeds for updates.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出
レポート1 脅威レポート

CISA SSVC

悪用状況poc
自動化可能no
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N8.1HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionRequired被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityNoneサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントcubecart
ベンダーcubecart
最小バージョン6.6.0
最大バージョン< 6.7.2
修正版6.7.2

弱点分類 (CWE)

CWE-20CWE-345CWE-601CWE-784

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-45055 is to immediately upgrade CubeCart to version 6.7.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests with suspicious Host headers. Specifically, block requests where the Host header contains unexpected or malicious domains. Additionally, review CubeCart's configuration to ensure that any custom settings related to email sending are secure and do not introduce similar vulnerabilities. After upgrading, confirm the fix by attempting to trigger a password reset and verifying that the generated link points to the correct CubeCart domain.

修正方法翻訳中…

Actualice CubeCart a la versión 6.7.2 o superior para mitigar la vulnerabilidad de envenenamiento de enlaces de restablecimiento de contraseña. La versión corregida valida el Host request header, previniendo la inyección de dominios maliciosos en los enlaces de restablecimiento de contraseña.

よくある質問翻訳中…

What is CVE-2026-45055 — SSRF in CubeCart v6?

CVE-2026-45055 is a Server-Side Request Forgery vulnerability in CubeCart v6 (versions 6.6.0–6.7.1) that allows attackers to manipulate password reset links, potentially leading to account takeover.

Am I affected by CVE-2026-45055 in CubeCart v6?

If you are running CubeCart v6 versions 6.6.0 through 6.7.1, you are vulnerable to this SSRF attack. Upgrade to version 6.7.2 or later to mitigate the risk.

How do I fix CVE-2026-45055 in CubeCart v6?

The recommended fix is to upgrade CubeCart to version 6.7.2 or later. As a temporary workaround, implement a WAF rule to block requests with suspicious Host headers.

Is CVE-2026-45055 being actively exploited?

As of the publication date, there are no reports of active exploitation. However, the vulnerability's severity warrants immediate attention and mitigation.

Where can I find the official CubeCart advisory for CVE-2026-45055?

Refer to the official CubeCart security advisory on their website or GitHub repository for detailed information and updates regarding CVE-2026-45055.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

CVE-2026-45055 — Vulnerability Details | NextGuard