Description
A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_running.php. Performing a manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-04-09
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability lies in the admin_running.php script of the code-projects Online Shoe Store. By supplying a crafted value for the product_name argument, an attacker can inject malicious scripts into the page. This remote cross‑site scripting flaw allows execution of arbitrary JavaScript in the context of the application, potentially leading to session hijacking, data theft, defacement, or phishing attacks against users or administrators. The flaw is classified under CWE‑79 and CWE‑94.

Affected Systems

The affected product is code‑projects Online Shoe Store version 1.0. No additional versions or sub‑products are listed as impacted in the available data.

Risk and Exploitability

The CVSS base score of 4.8 places the issue in the moderate range, but the vulnerability is exploitable remotely and a publicly available exploit exists. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be remote through the web interface, where the product_name parameter can be tampered with to inject scripts. Moderately high risk exists for any exposed installation lacking input validation.

Generated by OpenCVE AI on April 9, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Online Shoe Store to a patched version from the vendor if one is released. If no patch is available, ensure all user‑supplied input, especially the product_name parameter, is properly sanitized and encoded before rendering. Deploy a web application firewall or similar rule set to detect and block typical XSS payloads. Disable or restrict access to the admin_running.php endpoint for users who do not require it. Monitor application logs for repeated attempts to inject script content in the product_name field.

Generated by OpenCVE AI on April 9, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_running.php. Performing a manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title code-projects Online Shoe Store admin_running.php cross site scripting
First Time appeared Code-projects
Code-projects online Shoe Store
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:online_shoe_store:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Shoe Store
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Shoe Store
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T02:30:11.420Z

Reserved: 2026-04-08T17:26:30.648Z

Link: CVE-2026-5834

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T04:17:20.980

Modified: 2026-04-09T04:17:20.980

Link: CVE-2026-5834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:09Z

Weaknesses