CVE-2026-2165
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass via Email Manipulation in Detronetdip E-commerce

Publication date: 2026-02-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2165
EUVD
EUVD-2026-5784
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
detronetdip e-commerce 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-2165 is a critical security vulnerability in detronetdip E-commerce version 1.0.0, specifically in the backend PHP script located at /Admin/assets/backend/seller/add_seller.php. The vulnerability arises because this script lacks any authentication or session validation checks, allowing attackers to bypass authentication entirely.

The script assumes it is only accessed through the Admin Dashboard UI, which is protected by login, but it does not verify if the requestor is an authenticated administrator. As a result, an attacker can send direct HTTP POST requests with parameters like email, password, and mobile to create active seller accounts in the database without any authorization.

This missing authentication flaw is classified under CWE-306 (Missing Authentication for Critical Function) and allows unauthorized users to create accounts that should only be created by administrators.

Impact Analysis

This vulnerability can have several serious impacts:

  • Attackers can bypass admin login and registration approval workflows to create active user or seller accounts without authorization.
  • It enables privilege escalation by granting attackers access to the seller dashboard, which can be used for further exploitation such as Insecure Direct Object References (IDOR).
  • The system can be flooded with fake accounts, leading to spam, fraud, degraded performance, and increased management complexity.
  • Confidentiality, integrity, and availability of the application can be compromised due to unauthorized access and manipulation.
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the backend endpoint `/Admin/assets/backend/seller/add_seller.php` is accessible without authentication and accepts unauthenticated POST requests to create new seller accounts.'}, {'type': 'paragraph', 'content': "One way to detect it on your network or system is to attempt sending a crafted POST request to the vulnerable endpoint with parameters such as `email`, `pass`, and `mobile` and observe if the server responds with a success indicator (e.g., response '1')."}, {'type': 'paragraph', 'content': 'Additionally, you can use Google dorking to locate vulnerable instances by searching for URLs containing `inurl:Admin/assets/backend/seller/add_seller.php`.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST -d "[email protected]&pass=password123&mobile=0000000000" https://targetsite.com/Admin/assets/backend/seller/add_seller.php'}, {'type': 'list_item', 'content': "If the response is '1' or indicates success without authentication, the vulnerability is present."}] [1, 2, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves enforcing authentication and session validation on the vulnerable backend scripts to prevent unauthenticated access.'}, {'type': 'paragraph', 'content': 'Specifically, add session management and access control checks at the start of the affected PHP files such as `add_seller.php` and `add_user.php`.'}, {'type': 'list_item', 'content': 'Add the following code snippet at the top of the vulnerable PHP files to enforce admin authentication:'}, {'type': 'list_item', 'content': '```php\nsession_start();\nif (!isset($_SESSION[\'IS_LOGIN_ADMIN\']) || $_SESSION[\'IS_LOGIN_ADMIN\'] !== "YES") {\n http_response_code(403);\n die("Unauthorized Access");\n}\n```'}, {'type': 'paragraph', 'content': 'This ensures that only authenticated administrators can execute these critical functions, mitigating the broken access control vulnerability.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, consider restricting access to these backend endpoints via network controls such as firewall rules or IP whitelisting to limit exposure.'}, {'type': 'paragraph', 'content': 'Replacing the affected component with a secure alternative is also recommended if no official patch or fix is available.'}] [1, 2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart