此页面尚未翻译为您的语言。我们正在努力翻译，目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-45055CVSS 8.1

CVE-2026-45055: SSRF in CubeCart v6 Ecommerce Software

Q: What is CVE-2026-45055 — SSRF in CubeCart v6?

CVE-2026-45055 is a Server-Side Request Forgery vulnerability in CubeCart v6 (versions 6.6.0–6.7.1) that allows attackers to manipulate password reset links, potentially leading to account takeover.

Q: Am I affected by CVE-2026-45055 in CubeCart v6?

If you are running CubeCart v6 versions 6.6.0 through 6.7.1, you are vulnerable to this SSRF attack. Upgrade to version 6.7.2 or later to mitigate the risk.

Q: How do I fix CVE-2026-45055 in CubeCart v6?

The recommended fix is to upgrade CubeCart to version 6.7.2 or later. As a temporary workaround, implement a WAF rule to block requests with suspicious Host headers.

Q: Is CVE-2026-45055 being actively exploited?

As of the publication date, there are no reports of active exploitation. However, the vulnerability's severity warrants immediate attention and mitigation.

Q: Where can I find the official CubeCart advisory for CVE-2026-45055?

Refer to the official CubeCart security advisory on their website or GitHub repository for detailed information and updates regarding CVE-2026-45055.

平台

php

组件

cubecart

修复版本

6.7.2

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-45055 is a Server-Side Request Forgery (SSRF) vulnerability affecting CubeCart v6 versions 6.6.0 through 6.7.1. An attacker can exploit this flaw to craft malicious password reset links, potentially leading to account takeover. The vulnerability stems from the improper handling of the Host header during bootstrap, which is then embedded directly into transactional email links. A fix is available in CubeCart version 6.7.2.

影响与攻击场景翻译中…

The primary impact of this SSRF vulnerability lies in the ability of an unauthenticated attacker to manipulate password reset links. By crafting a malicious Host header, an attacker can redirect the password reset link to an attacker-controlled domain. When a user clicks this link, they are prompted to enter a new password on the attacker's site, effectively granting the attacker control of the user's account. This could lead to data theft, fraudulent transactions, or further compromise of the ecommerce platform. The vulnerability's impact is amplified by the fact that it targets a critical function – password recovery – which is often used by legitimate users, increasing the likelihood of exploitation. This attack pattern shares similarities with other SSRF-based phishing campaigns, where attackers leverage trusted domains to trick users into divulging credentials.

利用背景翻译中…

CVE-2026-45055 was published on May 13, 2026. Currently, there are no public exploit code or active campaigns targeting this vulnerability. The CVSS score of 8.1 (HIGH) indicates a significant risk, and it is likely to be added to KEV (Known Exploited Vulnerabilities) lists if exploitation becomes widespread. Monitor security advisories and threat intelligence feeds for updates.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

CISA SSVC

利用情况poc

可自动化no

技术影响total

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 无 — 无可用性影响。

受影响的软件

组件cubecart

供应商cubecart

最低版本6.6.0

最高版本< 6.7.2

修复版本6.7.2

弱点分类 (CWE)

CWE-20 CWE-345 CWE-601 CWE-784

时间线

已保留2026-05-08
发布日期2026-05-13
修改日期2026-05-14

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-45055 is to immediately upgrade CubeCart to version 6.7.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests with suspicious Host headers. Specifically, block requests where the Host header contains unexpected or malicious domains. Additionally, review CubeCart's configuration to ensure that any custom settings related to email sending are secure and do not introduce similar vulnerabilities. After upgrading, confirm the fix by attempting to trigger a password reset and verifying that the generated link points to the correct CubeCart domain.

修复方法翻译中…

Actualice CubeCart a la versión 6.7.2 o superior para mitigar la vulnerabilidad de envenenamiento de enlaces de restablecimiento de contraseña. La versión corregida valida el Host request header, previniendo la inyección de dominios maliciosos en los enlaces de restablecimiento de contraseña.

常见问题翻译中…

What is CVE-2026-45055 — SSRF in CubeCart v6?

CVE-2026-45055 is a Server-Side Request Forgery vulnerability in CubeCart v6 (versions 6.6.0–6.7.1) that allows attackers to manipulate password reset links, potentially leading to account takeover.

Am I affected by CVE-2026-45055 in CubeCart v6?

If you are running CubeCart v6 versions 6.6.0 through 6.7.1, you are vulnerable to this SSRF attack. Upgrade to version 6.7.2 or later to mitigate the risk.

How do I fix CVE-2026-45055 in CubeCart v6?

The recommended fix is to upgrade CubeCart to version 6.7.2 or later. As a temporary workaround, implement a WAF rule to block requests with suspicious Host headers.

Is CVE-2026-45055 being actively exploited?

As of the publication date, there are no reports of active exploitation. However, the vulnerability's severity warrants immediate attention and mitigation.

Where can I find the official CubeCart advisory for CVE-2026-45055?

Refer to the official CubeCart security advisory on their website or GitHub repository for detailed information and updates regarding CVE-2026-45055.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE

live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始：拥有账户后，您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

浏览文件