CVE-2026-14634
Received Received - Intake

XSS in Ecommerce-CodeIgniter-Bootstrap via User-Agent

Vulnerability report for CVE-2026-14634, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A vulnerability was identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 213babdbaa949e94557246414db0130e01394517. This vulnerability affects the function checkForPostRequests of the file application/core/MY_Controller.php of the component Subscribed Emails Admin Page. Such manipulation of the argument User-Agent leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 23105f25dadf57b4314fc015a63a7c6e910c89df. It is advisable to implement a patch to correct this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirilkirkov ecommerce-codeigniter-bootstrap to 213babdbaa949e94557246414db0130e01394517 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue found in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap platform. It occurs in the newsletter subscription feature where the User-Agent HTTP header from requests is stored without proper sanitization. An attacker can inject malicious JavaScript code via the User-Agent header, which is then saved in the database and later displayed in the admin panel's subscribed emails page without encoding. When an administrator views this page, the malicious script executes in their browser, leading to a stored XSS attack.

The vulnerable function is checkForPostRequests in the file application/core/MY_Controller.php, and the attack can be performed remotely by submitting a crafted User-Agent header during newsletter subscription.

The issue has been addressed by applying input sanitization such as stripping HTML tags, truncating the User-Agent to 500 characters before storage, and encoding output fields in the admin email view to prevent script execution.

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in the context of the administrator's browser when they view the subscribed emails page. This can lead to several security risks including:

  • Theft of administrator session data.
  • Execution of arbitrary actions with administrator privileges.
  • Potential backend phishing attacks.
  • UI redressing or privilege abuse.

Since the attack can be performed remotely and anonymously by submitting a malicious User-Agent header during newsletter subscription, it poses a significant risk to the security of the administration panel and the overall platform.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the newsletter subscription endpoint and inspecting the User-Agent headers for suspicious or malicious script content.

Since the vulnerability involves stored cross-site scripting via the User-Agent header, you can check the database entries in the subscribed emails table for unusual or script-containing User-Agent strings.

Suggested commands include capturing HTTP requests with tools like curl or tcpdump and searching for suspicious User-Agent headers.

  • Use curl to simulate a subscription with a suspicious User-Agent header: curl -H "User-Agent: <script>alert(1)</script>" -d "[email protected]" https://yourdomain.com/newsletter/subscribe
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for User-Agent headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'User-Agent'
  • Query the database subscribed emails table for entries containing script tags or suspicious payloads in the User-Agent or browser fields.
Mitigation Strategies

The primary mitigation is to apply the available patch that fixes the vulnerability by sanitizing the User-Agent header before storing it and encoding output in the admin email views.

Specifically, the patch strips HTML tags and truncates the User-Agent to 500 characters before storage, and applies HTML encoding to the browser, email, and IP fields in the admin interface to prevent script execution.

Until the patch is applied, it is advisable to restrict access to the subscribed emails admin page to trusted administrators only and monitor for suspicious User-Agent headers in incoming requests.

Additionally, consider implementing web application firewall (WAF) rules to detect and block malicious User-Agent headers containing script tags or suspicious payloads.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows an attacker to inject malicious scripts into the administrator-facing subscribed emails page by manipulating the User-Agent header during newsletter subscription.

Such an XSS vulnerability can lead to theft of administrator session data, execution of arbitrary actions in the administrator's authenticated context, and potential backend phishing or privilege abuse.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of this vulnerability could impact compliance by exposing sensitive administrative interfaces to unauthorized script execution, potentially leading to unauthorized access or data breaches.

Therefore, failure to patch this vulnerability might result in non-compliance with security requirements in regulations that mandate protection of sensitive data and secure administrative access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart