CVE-2026-14800
Received Received - Intake

Cross-Site Request Forgery in ecommerceFlask

Vulnerability report for CVE-2026-14800, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
imhamzaazam ecommerceflask to cb7d9e24c30a99379651b7493b32048126ef402b (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability is a Cross-Site Request Forgery (CSRF) in the ecommerceFlask application that allows attackers to perform unauthorized actions such as fraudulent purchases without user consent.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, CSRF vulnerabilities can lead to unauthorized transactions and potential misuse of user data, which may impact compliance with regulations that require protection of user data and transaction integrity.

Specifically, unauthorized actions caused by CSRF could violate principles of data integrity and user consent, which are important in regulations such as GDPR and HIPAA, potentially leading to non-compliance if exploited.

Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the ecommerceFlask application, specifically at the /buy endpoint.

Because the application lacks CSRF protection, attackers can trick authenticated users into unknowingly submitting unauthorized requests, such as making purchases or creating orders without their consent.

This attack can be initiated remotely by having the victim visit a malicious webpage that submits forged requests to the vulnerable endpoint.

Impact Analysis

The vulnerability can lead to unauthorized purchases and fraudulent order creation on behalf of authenticated users.

Victims may suffer financial loss as funds can be deducted from their accounts without their knowledge or consent.

Attackers can exploit this flaw to manipulate transactions, potentially damaging user trust and the reputation of the ecommerce platform.

Detection Guidance

This vulnerability can be detected by testing the /buy endpoint of the ecommerceFlask application for the absence of CSRF protection. Specifically, attempts to submit POST requests to /buy without a valid CSRF token can confirm the vulnerability.

A practical detection method is to use tools like curl or browser developer tools to send forged POST requests to the /buy endpoint and observe if the request is processed without requiring a CSRF token.

  • Example curl command to test the vulnerability: curl -X POST https://targetsite/buy -d "item_id=123&quantity=1" --cookie "session=valid_session_cookie"
  • If the request succeeds without a CSRF token or any CSRF protection mechanism, the vulnerability is present.
Mitigation Strategies

To mitigate this CSRF vulnerability in the ecommerceFlask application, immediate steps include implementing CSRF protection both at the configuration and endpoint levels.

  • Add CSRF tokens to all forms and verify them on the server side for sensitive endpoints like /buy.
  • Use Flask extensions such as Flask-WTF or other CSRF protection middleware to automatically handle CSRF tokens.
  • Ensure that state-changing requests require a valid CSRF token and reject requests without it.
  • Educate users to avoid clicking on suspicious links that could trigger CSRF attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart