CVE-2026-30777

Published: Mar 5, 2026Modified: Mar 9, 2026

6.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: vultures@jpcert.or.jp (Secondary)

Description

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.

Affected (11)

Products: Ec Cube: Ec Cube

Ec Cube

1 product

Ec Cube

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Ec Cube Ec Cube	From 4.1.0 to 4.1.2
Ec Cube Ec Cube	From 4.2.0 to 4.2.3
Ec Cube Ec Cube	From 4.3.0 to 4.3.1
Ec Cube Ec Cube	Version 4.1.2
Ec Cube Ec Cube	Version 4.1.2 p1
Ec Cube Ec Cube	Version 4.1.2 p2
Ec Cube Ec Cube	Version 4.1.2 p3
Ec Cube Ec Cube	Version 4.1.2 p4
Ec Cube Ec Cube	Version 4.2.3
Ec Cube Ec Cube	Version 4.2.3 p1
Ec Cube Ec Cube	Version 4.3.1

Related CWEs

CWE-288

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (2)

https://jvn.jp/en/jp/JVN63765888/

Source: vultures@jpcert.or.jp

Third Party Advisory

https://www.ec-cube.net/info/weakness/20260209/index.php

Source: vultures@jpcert.or.jp

PatchVendor Advisory

Timeline

No history available yet.