Description
A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A function in the e‑commerce application can be manipulated to trigger a state‑changing request without the user’s intent, enabling an attacker to perform unauthorized actions on behalf of an authenticated user. This weakness is a classic CSRF flaw (CWE-352) that can also allow access to privileged functionality (CWE-862). The vulnerability is exploitable remotely and public exploits are available, so an attacker could automate the abuse from any location.

Affected Systems

The product affected is imhamzaazam ecommerceFlask. No specific version numbers are available because the project uses a rolling release model and the vendor has not released a patched version or responded to vulnerability reports.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% marks the likelihood of exploitation as low at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The attack can be initiated remotely by sending crafted requests to the unknown function; the absence of a CSRF token or other origin validation permits execution of actions that would normally require user interaction. Because no official patch or workaround is available, the risk persists until the vendor implements CSRF protection or a fixed release is made available.

Generated by OpenCVE AI on July 6, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement an anti‑CSRF token mechanism for all state‑changing requests in the application.
  • Configure the session cookie with the SameSite attribute set to "Lax" or "Strict" to limit cross‑origin request submission.
  • Require authentication headers or referrer checks on critical endpoints so that only authorized requests can alter state.
  • Contact the vendor and request an update or direct patch, and apply any interim fixes published by the community or security group.

Generated by OpenCVE AI on July 6, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Title imhamzaazam ecommerceFlask cross-site request forgery
First Time appeared Imhamzaazam
Imhamzaazam ecommerceflask
Weaknesses CWE-352
CWE-862
CPEs cpe:2.3:a:imhamzaazam:ecommerceflask:*:*:*:*:*:*:*:*
Vendors & Products Imhamzaazam
Imhamzaazam ecommerceflask
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Imhamzaazam Ecommerceflask
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T13:04:16.385Z

Reserved: 2026-07-05T18:36:52.340Z

Link: CVE-2026-14800

cve-icon Vulnrichment

Updated: 2026-07-06T13:04:12.784Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T22:41:34Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)

  • CWE-862

    Missing Authorization