CVE-2026-38939
Received Received - Intake
Cross Site Scripting in mvc-ecommerce v1.0

Publication date: 2026-04-30

Last updated on: 2026-04-30

Assigner: MITRE

Description
Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-38939
EUVD
EUVD-2026-26387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
andrewtch88 mvc-ecommerce 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The Cross Site Scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v1.0 allows attackers to execute arbitrary code and potentially obtain sensitive information. This exposure of sensitive data and unauthorized actions could lead to non-compliance with regulations such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access and breaches.

Specifically, the vulnerability could result in session hijacking and sensitive data exposure, which are critical concerns under these standards. Failure to mitigate such vulnerabilities may lead to violations of data protection requirements, resulting in legal and financial consequences.

Executive Summary

CVE-2026-38939 is a reflected Cross-Site Scripting (XSS) vulnerability in the mvc-ecommerce v1.0 application by andrewtch88. It exists in the /product_catalogue.php component, specifically in a query parameter. An attacker can inject malicious JavaScript code into this parameter, which is then reflected in the server's response and executed in the victim's browser when they access a crafted URL.

This vulnerability occurs due to insufficient input sanitization and lack of proper output encoding, allowing the injected script to run in the context of the victim's browser.

Impact Analysis

Successful exploitation of this vulnerability can lead to session hijacking, exposure of sensitive information, and unauthorized actions performed on behalf of the victim.

Because the malicious script runs in the victim's browser, attackers can steal cookies, capture user input, or perform actions as the user without their consent.

Detection Guidance

This vulnerability can be detected by testing the /product_catalogue.php component of the mvc-ecommerce v1.0 application for reflected Cross-Site Scripting (XSS) in its query parameter.

A common method is to inject a simple JavaScript payload, such as <script>alert(1)</script>, into the query parameter and observe if the script is reflected and executed in the server's response.

For example, you can use curl or a browser to send a request like:

  • curl "http://target-domain/product_catalogue.php?param=<script>alert(1)</script>"

If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves implementing proper input sanitization and context-aware output encoding on the /product_catalogue.php component.

Specifically, ensure that any user-controlled input in the query parameter is sanitized to remove or encode potentially malicious characters before being reflected in the response.

This prevents the execution of injected JavaScript code and protects against session hijacking and unauthorized actions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart