Description
A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue.
Published: 2026-07-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Vendor Multi‑Image Endpoint of the AddProduct.php controller allows an attacker to manipulate the folder argument and perform a path traversal. This can lead to reading files outside the intended directory, potentially exposing sensitive configuration and system data. The vulnerability is exploitable without local access and therefore can be initiated remotely via a crafted request.

Affected Systems

The issue affects the kirilkirkov Ecommerce‑CodeIgniter‑Bootstrap project. No specific version numbers are available due to the rolling release model, but the vulnerability exists up to the last commit before 2a9497ff11f36e573ad99e1c357ff0e6ded49745. The public patch commit provides the fix.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and while the EPSS score is not available, the vulnerability is not listed in CISA’s KEV catalog. The publicly released exploit and the remote nature of the attack vector suggest a realistic exploitation scenario. Applying the patch eliminates the traversal path; until then, attackers can abuse the flaw to read arbitrary files.

Generated by OpenCVE AI on July 4, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch commit 2a9497ff11f36e573ad99e1c357ff0e6ded49745 to the application modules/vendor controllers.
  • Validate and sanitize the folder parameter in AddProduct.php to reject sequences such as '..' and enforce a whitelist of allowed directories.
  • Enable monitoring of web server logs for anomalous path traversal attempts and alert on repeated abuse.

Generated by OpenCVE AI on July 4, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue.
Title kirilkirkov Ecommerce-CodeIgniter-Bootstrap Vendor Multi-Image Endpoint AddProduct.php path traversal
First Time appeared Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
Weaknesses CWE-22
CPEs cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:*
Vendors & Products Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Kirilkirkov Ecommerce-codeigniter-bootstrap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T16:30:08.679Z

Reserved: 2026-07-03T17:24:31.004Z

Link: CVE-2026-14635

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:00:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')