CVE-2026-14637
Received Received - Intake

Deserialization Vulnerability in Ecommerce-CodeIgniter-Bootstrap

Vulnerability report for CVE-2026-14637, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A security vulnerability has been detected in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7. The affected element is the function getCartItems in the library application/libraries/ShoppingCart.php. The manipulation of the argument shopping_cart leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is 49b20f53de2b7ec34e920b11c863f1491d911a04. It is recommended to apply a patch to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirilkirkov ecommerce-codeigniter-bootstrap to 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14637 is an unsafe deserialization vulnerability in the Ecommerce-CodeIgniter-Bootstrap application, specifically in the getCartItems() function of the ShoppingCart.php library. The vulnerability arises because the application deserializes attacker-controlled data from the shopping_cart cookie without proper validation.

An attacker can remotely manipulate the shopping_cart cookie to provide a serialized object instead of the expected array of product IDs. This causes a fatal error, leading to a denial-of-service (DoS) condition and disclosure of sensitive stack-trace information, including internal filesystem paths.

No privileges or user interaction are required to exploit this vulnerability, making it highly accessible. While arbitrary code execution was not confirmed, the vulnerability creates a high-risk primitive that could potentially be exploited further if a suitable gadget chain is found.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to cause a denial-of-service (DoS) on your Ecommerce-CodeIgniter-Bootstrap application by triggering fatal errors through manipulated shopping_cart cookie data.

Additionally, the attacker can gain partial confidentiality impact by disclosing sensitive internal stack-trace information, such as filesystem paths, which could aid in further attacks.

Although code execution was not confirmed, the vulnerability represents a significant security risk (CVSS 8.2) and could potentially be leveraged for more severe exploits in the future.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP 500 responses triggered by manipulation of the shopping_cart cookie. Specifically, sending crafted serialized objects in the shopping_cart cookie to the Ecommerce-CodeIgniter-Bootstrap application may cause a fatal error and expose stack-trace information.

A practical detection method is to send HTTP requests with modified shopping_cart cookies containing serialized PHP objects and observe if the server responds with HTTP 500 errors and reveals internal implementation details.

Example command using curl to test the vulnerability by injecting a serialized object in the shopping_cart cookie:

  • curl -v --cookie "shopping_cart=O:8:\"stdClass\":0:{}" http://target-application-url/

If the server responds with HTTP 500 and discloses stack traces or filesystem paths, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to apply the security patch identified by commit 49b20f53de2b7ec34e920b11c863f1491d911a04.

This patch replaces unsafe PHP serialization functions with JSON encoding and decoding for handling the shopping_cart cookie, preventing unsafe deserialization.

Additionally, the patch adds validation to ensure only positive integer product IDs are accepted, further reducing risk.

Until the patch is applied, consider implementing web application firewall (WAF) rules to block or sanitize suspicious shopping_cart cookie values to prevent exploitation.

Compliance Impact

The vulnerability in CVE-2026-14637 allows unauthenticated attackers to cause denial-of-service and disclose sensitive stack-trace information by exploiting unsafe deserialization in the shopping cart cookie. This exposure of internal implementation details, including filesystem paths, could lead to leakage of sensitive information.

Such information disclosure and potential availability disruption can negatively impact compliance with standards like GDPR and HIPAA, which require protection of personal data confidentiality and system availability.

Specifically, GDPR mandates appropriate technical measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The vulnerability’s ability to expose internal data and cause service disruption could be considered a failure to meet these requirements.

Similarly, HIPAA requires safeguarding electronic protected health information (ePHI) to ensure confidentiality, integrity, and availability. The vulnerability’s impact on availability and partial confidentiality could lead to non-compliance if exploited in a healthcare context.

Therefore, until patched, this vulnerability poses a risk to compliance with such regulations by exposing sensitive information and affecting service availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14637. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart