CVE-2026-38939
Cross Site Scripting in mvc-ecommerce v1.0
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| andrewtch88 | mvc-ecommerce | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38939 is a reflected Cross-Site Scripting (XSS) vulnerability in the mvc-ecommerce v1.0 application by andrewtch88. It exists in the /product_catalogue.php component, specifically in a query parameter. An attacker can inject malicious JavaScript code into this parameter, which is then reflected in the server's response and executed in the victim's browser when they access a crafted URL.
This vulnerability occurs due to insufficient input sanitization and lack of proper output encoding, allowing the injected script to run in the context of the victim's browser.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to session hijacking, exposure of sensitive information, and unauthorized actions performed on behalf of the victim.
Because the malicious script runs in the victim's browser, attackers can steal cookies, capture user input, or perform actions as the user without their consent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /product_catalogue.php component of the mvc-ecommerce v1.0 application for reflected Cross-Site Scripting (XSS) in its query parameter.
A common method is to inject a simple JavaScript payload, such as <script>alert(1)</script>, into the query parameter and observe if the script is reflected and executed in the server's response.
For example, you can use curl or a browser to send a request like:
- curl "http://target-domain/product_catalogue.php?param=<script>alert(1)</script>"
If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves implementing proper input sanitization and context-aware output encoding on the /product_catalogue.php component.
Specifically, ensure that any user-controlled input in the query parameter is sanitized to remove or encode potentially malicious characters before being reflected in the response.
This prevents the execution of injected JavaScript code and protects against session hijacking and unauthorized actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Cross Site Scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v1.0 allows attackers to execute arbitrary code and potentially obtain sensitive information. This exposure of sensitive data and unauthorized actions could lead to non-compliance with regulations such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access and breaches.
Specifically, the vulnerability could result in session hijacking and sensitive data exposure, which are critical concerns under these standards. Failure to mitigate such vulnerabilities may lead to violations of data protection requirements, resulting in legal and financial consequences.