Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
EC-CUBE: Administrator Access Bypass with Valid Credentials
CVE-2026-30777
Summary
If a hacker gets your admin login and password, they may be able to get into your EC-CUBE admin page without needing a second form of verification. This could let them make changes or steal sensitive data. You should update your EC-CUBE software to the latest version to fix this.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ec-cube | ec-cube | > 4.1.0 , <= 4.1.2 | – |
| ec-cube | ec-cube | > 4.2.0 , <= 4.2.3 | – |
| ec-cube | ec-cube | > 4.3.0 , <= 4.3.1 | – |
| ec-cube | ec-cube | 4.1.2 | – |
| ec-cube | ec-cube | 4.1.2 | – |
| ec-cube | ec-cube | 4.1.2 | – |
| ec-cube | ec-cube | 4.1.2 | – |
| ec-cube | ec-cube | 4.1.2 | – |
| ec-cube | ec-cube | 4.2.3 | – |
| ec-cube | ec-cube | 4.2.3 | – |
| ec-cube | ec-cube | 4.3.1 | – |
Original title
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-...
Original description
EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.
nvd CVSS3.0
4.9
nvd CVSS4.0
6.9
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026