Executive Summary

CVE-2026-36766 is a vulnerability in Shopizer version 3.2.5 where multiple REST API endpoints are susceptible to Stored Cross-Site Scripting (XSS) attacks. This happens because the XssHttpServletRequestWrapper class does not properly sanitize JSON request bodies, specifically failing to override the getInputStream() or getReader() functions. Attackers can inject malicious JavaScript payloads into JSON fields, which are then stored in the database and executed when retrieved by other users.

• The vulnerability affects endpoints such as PUT /api/v1/private/category/{id} and POST /api/v1/auth/products/{id}/reviews.
• The root cause is an incomplete XSS filtering mechanism that allows unsanitized scripts to persist in fields like category descriptions or customer data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a low-privileged admin or attacker to inject malicious JavaScript that executes in the browsers of other users, including higher-privileged users. This can lead to theft of session tokens, unauthorized actions, or other malicious activities performed on behalf of the victim user.

• Attackers can bypass backend XSS filters and store malicious scripts in the database.
• When other users retrieve the stored data, the malicious scripts execute in their browsers.
• Potential impacts include session hijacking, data theft, and unauthorized operations within the application.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves multiple REST API endpoints in Shopizer (versions ≤ 3.2.5) that accept JSON request bodies susceptible to stored Cross-Site Scripting (XSS) attacks. Detection can focus on monitoring or testing these endpoints for injection of malicious JavaScript payloads.

• Test the affected endpoints such as PUT /api/v1/private/category/{id} and POST /api/v1/auth/products/{id}/reviews by sending crafted JSON payloads containing script tags or JavaScript code.
• Use tools like curl or HTTP clients to send payloads and observe if the injected scripts are stored and executed when retrieved.
• Example curl command to test injection on category endpoint: curl -X PUT "http://<shopizer-host>/api/v1/private/category/1" -H "Content-Type: application/json" -d '{"description":"<script>alert(1)</script>"}'
• Monitor HTTP responses and application behavior for execution of injected scripts or unexpected HTML content.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enhancing the XSS filtering mechanism to properly sanitize JSON request bodies, especially in the getInputStream() and getReader() functions of the XssHttpServletRequestWrapper class.

• Apply patches or updates from Shopizer that address this vulnerability if available.
• Implement security response headers such as Content-Security-Policy (CSP) to reduce the impact of XSS attacks.
• Restrict access to the affected REST API endpoints to trusted and authenticated users only.
• Review and harden input validation and sanitization logic to ensure all JSON inputs are properly filtered before storage or rendering.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-36766 vulnerability allows attackers to execute arbitrary web scripts via stored cross-site scripting (XSS) attacks, potentially enabling theft of session tokens or unauthorized actions by targeting higher-privileged users.

Such exploitation could lead to unauthorized access to sensitive personal data stored or processed by the Shopizer platform, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal information against unauthorized access or disclosure.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any regulatory consequences.

Useful 0 Not Useful 0