Description
A security vulnerability has been detected in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7. The affected element is the function getCartItems in the library application/libraries/ShoppingCart.php. The manipulation of the argument shopping_cart leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is 49b20f53de2b7ec34e920b11c863f1491d911a04. It is recommended to apply a patch to fix this issue.
Published: 2026-07-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the getCartItems function of the ShoppingCart.php library, where the shopping_cart argument is deserialized without proper validation. Based on the description, an attacker can craft malicious data that triggers PHP's unserialize; this may lead to arbitrary code execution. This weakness is classified under CWE-502 “Deserialization of Untrusted Data” and CWE-20 “Improper Input Validation.”

Affected Systems

This issue affects the kirilkirkov Ecommerce-CodeIgniter-Bootstrap application, specifically all releases up to commit 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7. The patch to remediate the flaw is available in commit 49b20f53de2b7ec34e920b11c863f1491d911a04.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the advisory states that the exploit is publicly disclosed and can be initiated remotely, indicating that remote attackers could potentially exploit the deserialization flaw.

Generated by OpenCVE AI on July 5, 2026 at 07:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the patch corresponding to commit 49b20f53de2b7ec34e920b11c863f1491d911a04 which removes the unsafe deserialization logic.
  • Update the application to a version newer than commit 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7 to ensure the patch is included.
  • Review the shopping_cart deserialization logic and refactor it to validate input strictly or replace it with a safe deserialization mechanism.

Generated by OpenCVE AI on July 5, 2026 at 07:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 18:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7. The affected element is the function getCartItems in the library application/libraries/ShoppingCart.php. The manipulation of the argument shopping_cart leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is 49b20f53de2b7ec34e920b11c863f1491d911a04. It is recommended to apply a patch to fix this issue.
Title kirilkirkov Ecommerce-CodeIgniter-Bootstrap ShoppingCart.php getCartItems deserialization
First Time appeared Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
Weaknesses CWE-20
CWE-502
CPEs cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:*
Vendors & Products Kirilkirkov
Kirilkirkov ecommerce-codeigniter-bootstrap
References
Metrics cvssV2_0

{'score': 8.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:C/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 8.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Kirilkirkov Ecommerce-codeigniter-bootstrap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T17:30:11.062Z

Reserved: 2026-07-03T17:24:37.659Z

Link: CVE-2026-14637

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-502

    Deserialization of Untrusted Data