CVE-2026-14636
Received Received - Intake

Path Traversal in Ecommerce-CodeIgniter-Bootstrap

Vulnerability report for CVE-2026-14636, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A weakness has been identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 23105f25dadf57b4314fc015a63a7c6e910c89df. Impacted is the function do_upload_others_images of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Image Manager. Executing a manipulation of the argument folder can lead to path traversal. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called de1c9e73ccf3bd032d9a0525c4752290d959dd8b. It is best practice to apply a patch to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirilkirkov ecommerce-codeigniter-bootstrap to 23105f25dadf57b4314fc015a63a7c6e910c89df (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14636 is a path traversal vulnerability in the Ecommerce-CodeIgniter-Bootstrap application, specifically in the vendor-side AJAX API endpoint do_upload_others_images. A low-privilege vendor user can manipulate the folder parameter, which is concatenated directly into a filesystem path without proper validation, allowing them to traverse outside the intended image directory and upload files to arbitrary writable directories on the server.

This vulnerability arises because the application does not properly sanitize or canonicalize the folder input, enabling attackers to use traversal sequences like '..\..\' to write files outside the designated folder.

The weakness is classified as CWE-22 (Path Traversal) and has a medium severity with a CVSS score of 5.4.

Impact Analysis

This vulnerability allows an attacker with low privileges to upload arbitrary files to any writable directory on the server, potentially overwriting or adding malicious files outside the intended image upload directory.

Such unauthorized file uploads can lead to further exploitation, including code execution, data corruption, or denial of service by tampering with application files or cache.

Because the attacker can write files outside the intended directory, the integrity and security boundaries of the application are compromised.

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal in the vendor-side AJAX API endpoint `do_upload_others_images` by manipulating the `folder` parameter to upload files outside the intended directory.

A practical detection method is to try uploading a file using traversal sequences such as `..\..\application\cache\pocupload` in the `folder` parameter and then verify if the file appears in the traversed destination.

Commands or steps to detect this might include using curl or similar tools to send POST requests to the vulnerable endpoint with crafted `folder` parameters, for example:

  • curl -X POST -F "folder=..\..\application\cache\pocupload" -F "[email protected]" https://targetsite/path/to/do_upload_others_images
  • Then check if the file `pocupload` appears in the `application/cache/` directory on the server or if it can be enumerated via a paired endpoint.

Monitoring logs for unusual file uploads or unexpected file paths in the upload requests can also help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to apply the security patch that sanitizes user inputs for the `folder` and `image` parameters in the upload functionality.

This patch uses the basename() function to prevent path traversal by stripping directory paths from user inputs and adds guard clauses to reject empty or invalid folder/image values.

Additionally, ensure that input sanitization includes proper encoding such as ENT_QUOTES and UTF-8 to enhance security.

If patching immediately is not possible, restrict access to the vulnerable endpoint to trusted users only and monitor for suspicious upload activity.

Review and harden file upload permissions and directory write access on the server to limit the impact of any potential exploitation.

Compliance Impact

The vulnerability allows a low-privilege vendor user to perform a path traversal attack, enabling arbitrary file uploads to unintended directories on the server. This breaks the intended privilege boundaries and could potentially lead to unauthorized modification or addition of files within the application environment.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such unauthorized file writes could lead to data integrity and security issues. This may indirectly impact compliance by increasing the risk of unauthorized access or modification of sensitive data, which is a concern under regulations requiring data protection and integrity.

Therefore, failure to patch this vulnerability could expose the system to risks that might violate security requirements in common standards and regulations, especially those mandating strict access controls and data integrity safeguards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart