Description
A weakness has been identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 23105f25dadf57b4314fc015a63a7c6e910c89df. Impacted is the function do_upload_others_images of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Image Manager. Executing a manipulation of the argument folder can lead to path traversal. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called de1c9e73ccf3bd032d9a0525c4752290d959dd8b. It is best practice to apply a patch to resolve this issue.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a directory traversal flaw in the Vendor Image Manager add_product controller of the ecommerce‑codeigniter‑bootstrap project. An attacker can manipulate the folder argument of the do_upload_others_images method to escape the intended upload directory and read or potentially overwrite files outside the upload tree, leading to disclosure of sensitive data or modification of critical system files. The weakness maps to CWE-22.

Affected Systems

Affected versions include any release of kirilkirkov Ecommerce-CodeIgniter‑Bootstrap up to commit 23105f25dadf57b4314fc015a63a7c6e910c89df. The bug resides in AddProduct.php within the Vendor Image Manager module. The project follows a rolling‑release model, so no formal version numbers are available, but the patch commit de1c9e73ccf3bd032d9a0525c4752290d959dd8b fixes the vulnerability.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. With no EPSS data, the current exploitation probability is unknown, but the flaw can be remotely triggered simply by submitting a crafted request containing a malicious folder value. Without a patch, attackers could exploit the flaw to read or delete files, potentially compromising data integrity and confidentiality. The lack of a KEV listing suggests no known large‑scale exploitation yet, but the vulnerability remains a valid attack vector.

Generated by OpenCVE AI on July 4, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the repository or application to the patch commit de1c9e73ccf3bd032d9a0525c4752290d959dd8b or any later release.
  • If a patch cannot be applied immediately, validate and sanitize the folder parameter by rejecting any '..', leading slashes, or non‑alphanumeric characters and allowing only known safe folder names.
  • Ensure uploaded files are stored in a dedicated directory that cannot be traversed, and restrict web access to that directory so that even if traversal is attempted, the attacker cannot access other areas of the filesystem.

Generated by OpenCVE AI on July 4, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 17:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 23105f25dadf57b4314fc015a63a7c6e910c89df. Impacted is the function do_upload_others_images of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Image Manager. Executing a manipulation of the argument folder can lead to path traversal. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called de1c9e73ccf3bd032d9a0525c4752290d959dd8b. It is best practice to apply a patch to resolve this issue.
Title kirilkirkov Ecommerce-CodeIgniter-Bootstrap Vendor Image Manager AddProduct.php do_upload_others_images path traversal
First Time appeared Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
Weaknesses CWE-22
CPEs cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:*
Vendors & Products Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}


Subscriptions

Kirilkirkov Ecommerce-codeigniter-bootstrap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T16:45:09.305Z

Reserved: 2026-07-03T17:24:34.759Z

Link: CVE-2026-14636

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:00:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')