CVE-2026-14633
Received Received - Intake

XSS in Ecommerce-CodeIgniter-Bootstrap via Hidden API

Vulnerability report for CVE-2026-14633, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A vulnerability was determined in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 49b20f53de2b7ec34e920b11c863f1491d911a04. This affects an unknown part of the file /index.php/api/product/set of the component Hidden REST API Endpoint. This manipulation of the argument title/description causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. Patch name: d9785f995da77bdc62fb2d34bad5f7a162c9ad23. To fix this issue, it is recommended to deploy a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirilkirkov ecommerce-codeigniter-bootstrap to 49b20f53de2b7ec34e920b11c863f1491d911a04 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14633 is a vulnerability in the Ecommerce-CodeIgniter-Bootstrap application involving a hidden REST API endpoint that allows anonymous users to create product records without authentication.

The vulnerability arises because the API accepts and stores attacker-controlled HTML or JavaScript code in product fields such as title and description without proper sanitization.

When these malicious product entries are later displayed on the frontend product pages, the injected scripts execute in the browsers of users viewing those pages, resulting in a stored Cross-Site Scripting (XSS) attack.

The attack can be carried out remotely by sending a POST request with malicious payloads to the hidden endpoint `/index.php/api/product/set`.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious scripts into product data that is displayed to users.

Such scripts can execute in the browsers of your users, potentially leading to session theft, Cross-Site Request Forgery (CSRF) attacks, phishing, or other malicious activities.

Because the API does not require authentication, attackers can create or delete products without permission, which can compromise the integrity of your product data.

Detection Guidance

This vulnerability can be detected by checking for unauthorized POST requests to the hidden REST API endpoint `/index.php/api/product/set` that create product records without authentication.

You can monitor network traffic or server logs for POST requests to this endpoint containing suspicious or unexpected data in the title or description fields.

A simple command to detect such attempts in web server logs (e.g., Apache or Nginx) could be:

  • grep "/index.php/api/product/set" /var/log/apache2/access.log | grep POST

Additionally, inspecting the database for unexpected or malicious HTML/JavaScript content in product titles or descriptions can help identify exploitation.

Mitigation Strategies

Immediate mitigation steps include deploying the patch that enforces authentication checks on the vulnerable API endpoints.

Specifically, ensure that the `set_post()` and `productDel_delete()` functions in the `Api/Products.php` controller require a valid admin session before processing requests, which prevents unauthenticated product creation or deletion.

Also, apply proper output encoding such as using `htmlspecialchars()` on user-supplied data in templates to prevent stored cross-site scripting.

If immediate patching is not possible, consider restricting access to the `/index.php/api/product/set` endpoint via network controls or web application firewall rules to block unauthorized requests.

Compliance Impact

The vulnerability allows unauthenticated attackers to create product records with malicious scripts that execute stored cross-site scripting (XSS) attacks on users visiting the affected product pages. This can lead to session theft, cross-site request forgery (CSRF), and phishing attacks against victims.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and secure handling of personal information. The exploitation of this vulnerability could lead to unauthorized access or compromise of user sessions and data, potentially violating data protection and privacy requirements.

Therefore, failure to patch this vulnerability may result in non-compliance with these regulations due to inadequate security controls against injection and authentication bypass vulnerabilities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart