{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "6.7.2"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "60e000e5cbaae9539521349cb9a58c6d3390b098"
            }
          ],
          "repo": "https://github.com/cubecart/v6",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-7pvc-gxc4-chmc"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-20",
      "CWE-345",
      "CWE-601",
      "CWE-784"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45055.json"
  },
  "details": "CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in User::passwordRequest() (and the admin equivalent in Admin::passwordRequest()). An unauthenticated attacker who knows a target email can POST /index.php?_a=recover with Host: evil.com; CubeCart writes a fresh verify token (valid 3,600 s) and emails the victim a link http://evil.com/index.php?_a=recovery\u0026validate=\u003cTOKEN\u003e. The token is valid against the legitimate store — capturing the victim's click on evil.com yields full account takeover, or store takeover when an admin email is targeted. This vulnerability is fixed in 6.7.2.",
  "id": "CVE-2026-45055",
  "modified": "2026-07-15T01:48:53.035791350Z",
  "published": "2026-05-13T20:44:54.465Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45055.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/cubecart/v6/security/advisories/GHSA-7pvc-gxc4-chmc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45055"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header"
}