Description
A vulnerability was determined in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 49b20f53de2b7ec34e920b11c863f1491d911a04. This affects an unknown part of the file /index.php/api/product/set of the component Hidden REST API Endpoint. This manipulation of the argument title/description causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. Patch name: d9785f995da77bdc62fb2d34bad5f7a162c9ad23. To fix this issue, it is recommended to deploy a patch.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Hidden REST API Endpoint /index.php/api/product/set of the kirilkirkov Ecommerce‑CodeIgniter‑Bootstrap application. Manipulating the title or description parameters leads to client‑side script injection. This allows an attacker to inject arbitrary JavaScript, which when executed in a victim’s browser can steal session data, deface pages, or perform malicious actions. The weakness is an input validation flaw identified as CWE‑79 and code injection via improper handling of user data (CWE‑94). The impact is an exclusively web‑based attack that can compromise the confidentiality and integrity of user sessions.

Affected Systems

The affected system is the kirilkirkov Ecommerce‑CodeIgniter‑Bootstrap web application. All releases prior to the commit hash d9785f995da77bdc62fb2d34bad5f7a162c9ad23 are vulnerable because the patch addresses the XSS issue. The product uses a rolling release model, so a user should update to the latest commit or code branch that includes the fix.

Risk and Exploitability

The CVSS score is 5.3, indicating a medium severity issue. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The exploitation requires remote access to the API endpoint, so it can be carried out by any external party who can craft an HTTP request carrying malicious title or description payloads. Because no authentication is required to reach the endpoint, the risk is relatively high for exposed installations that run the affected version. The lack of an EPSS score suggests that exploitation frequency data is not currently tracked, but the publicly disclosed exploit indicates that attackers could deploy this XSS payload.

Generated by OpenCVE AI on July 5, 2026 at 07:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch identified by commit d9785f995da77bdc62fb2d34bad5f7a162c9ad23 to the codebase and redeploy the application.
  • Restrict access to the /index.php/api/product/set endpoint to authenticated users only, using authentication middleware or server‑side access controls.
  • Implement input validation and output encoding on all user‑supplied title and description fields to prevent script injection.

Generated by OpenCVE AI on July 5, 2026 at 07:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 49b20f53de2b7ec34e920b11c863f1491d911a04. This affects an unknown part of the file /index.php/api/product/set of the component Hidden REST API Endpoint. This manipulation of the argument title/description causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. Patch name: d9785f995da77bdc62fb2d34bad5f7a162c9ad23. To fix this issue, it is recommended to deploy a patch.
Title kirilkirkov Ecommerce-CodeIgniter-Bootstrap Hidden REST API Endpoint set cross site scripting
First Time appeared Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:*
Vendors & Products Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Kirilkirkov Ecommerce-codeigniter-bootstrap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T15:45:09.498Z

Reserved: 2026-07-03T17:24:24.761Z

Link: CVE-2026-14633

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')