CVE-2026-45055

Name of the Vulnerable Software and Affected Versions CubeCart versions 6.6.x through 6.7.1

Description CubeCart builds the CC STORE URL constant directly from the Host request header during bootstrap without using an allowlist. This constant is embedded into transactional email links, specifically the password-reset links generated by the passwordRequest() functions in the User and Admin classes. An unauthenticated attacker can send a request to the '/index.php? a=recover' endpoint with a malicious Host header. This causes the system to send an email to the victim containing a link that points to the attacker's domain while containing a valid verification token. If the victim clicks the link, the attacker can capture the token, leading to full account or store takeover.

Recommendations Update to version 6.7.2.