Description
A vulnerability has been found in CodeAstro Ecommerce Website 1.0. This impacts an unknown function of the file /ecommerce-website-php/customer/my_account.php?edit_account. Such manipulation of the argument c_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection vulnerability exists in the my_account.php script of CodeAstro Ecommerce Website 1.0, specifically when manipulating the c_name argument in the edit_account operation. The flaw allows an attacker to inject arbitrary SQL through the web interface, potentially exposing or modifying sensitive customer data. The vulnerability is categorized as CWE-74 and CWE-89.

Affected Systems

The vulnerability impacts CodeAstro Ecommerce Website version 1.0, affecting the my_account.php module used for account editing. Because no further version range is specified, any installation of 1.0 that has not applied a patch is considered vulnerable. The affected endpoint is /ecommerce-website-php/customer/my_account.php?edit_account.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while no EPSS score is available, which implies the estimation of exploitation probability is uncertain. The vulnerability is not listed in CISA's KEV catalog, suggesting it has not been observed in large-scale exploitation campaigns yet. However, the attack can be performed remotely via crafted HTTP requests to the affected endpoint, and public reports confirm that the exploit exists. Thus, organizations running this application should consider the risk moderate but treat it as potentially exploitable if no patch is applied.

Generated by OpenCVE AI on July 5, 2026 at 07:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CodeAstro Ecommerce Website to a version that contains the fix for the SQL injection in my_account.php. If an official patch is not yet available, contact the vendor or check the project repository for a hot‑fix.
  • Ensure that the c_name parameter is properly validated and escaped or that database queries use prepared statements or parameterized queries to prevent SQL injection.
  • Deploy a web application firewall or set of request filtering rules that detect and block common SQL injection payloads targeting the /ecommerce-website-php/customer/my_account.php?edit_account endpoint.
  • Restrict the database account used by the application to the minimum privileges required, limiting the potential impact of an injection exploitation.

Generated by OpenCVE AI on July 5, 2026 at 07:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 18:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in CodeAstro Ecommerce Website 1.0. This impacts an unknown function of the file /ecommerce-website-php/customer/my_account.php?edit_account. Such manipulation of the argument c_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Title CodeAstro Ecommerce Website my_account.php sql injection
First Time appeared Codeastro
Codeastro ecommerce Website
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:codeastro:ecommerce_website:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro ecommerce Website
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Ecommerce Website
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T18:00:08.125Z

Reserved: 2026-07-03T17:28:15.303Z

Link: CVE-2026-14639

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')