Description
Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions.
Published: 2026-04-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the XssHttpServletRequestWrapper class of Shopizer 3.2.5 and allows an authenticated user to insert malicious JavaScript or arbitrary HTML through the getInputStream() or getReader() interfaces. By controlling the payload delivered to these methods, an attacker can execute scripts in the context of the web application, leading to credential theft, session hijacking, defacement, or the delivery of malware to end users.

Affected Systems

Shopizer eCommerce platform version 3.2.5 is affected. All installations of this version that expose the vulnerable request wrapper to authenticated users are at risk.

Risk and Exploitability

An attacker must first authenticate to the system to exploit the flaw, after which they can inject malicious content that will be rendered when the input streams are processed. While EPSS data and KEV status are not available, the CVSS score of 5.4 indicates a medium severity, yet the nature of the flaw provides an attacker with the ability to execute arbitrary scripts, implying a significant threat to confidentiality and integrity of user data.

Generated by OpenCVE AI on May 2, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Shopizer to the latest released version that contains the fix for the XssHttpServletRequestWrapper issue or apply the vendor‑supplied patch.
  • Implement strict input sanitization for all data retrieved via getInputStream() and getReader(), ensuring that any injected scripts or HTML are escaped before rendering.
  • Deploy a Web Application Firewall and enforce a stringent Content Security Policy to block the execution of unexpected scripts within the application.

Generated by OpenCVE AI on May 2, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Authenticated XSS via Shopizer getInputStream and getReader in XssHttpServletRequestWrapper

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Shopizer
Shopizer shopizer
Vendors & Products Shopizer
Shopizer shopizer

Thu, 30 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions.
References

Subscriptions

Shopizer Shopizer
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T18:36:13.325Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36766

cve-icon Vulnrichment

Updated: 2026-04-30T18:34:01.630Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T18:16:29.830

Modified: 2026-04-30T19:16:09.377

Link: CVE-2026-36766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses