CVE-2026-5835 - Vulnerability Details

- code-projects Online Shoe Store admin_football.php cross site scripting

Description

A flaw has been found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Executing a manipulation of the argument product_name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.

Published: 2026-04-09

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A cross‑site scripting flaw exists in the admin_football.php module of code‑projects Online Shoe Store 1.0. An attacker can supply a crafted value for the product_name parameter. When the application renders the supplied value without proper filtering, arbitrary JavaScript is executed in the browser of anyone who views the affected page. This allows an attacker to steal session cookies, deface the site, or conduct phishing attacks. The flaw is classified as CWE‑79 and is also linked with possible code‑injection weaknesses (CWE‑94).

Affected Systems

The affected product is code‑projects Online Shoe Store 1.0. The vulnerability resides in the /admin/admin_football.php file, and administrators or users who can interact with this page via the product_name argument are susceptible. No information about additional authentication requirements is provided, so the issue may be exploitable by anyone who can reach the page.

Risk and Exploitability

With a CVSS score of 4.8, the vulnerability is considered moderate; the probability of exploitation is not quantified by EPSS and it is not listed in the CISA KEV catalog. Nevertheless, because a public exploit has been released and the attack can be carried out remotely, administrators should treat this as a high‑impact risk. The flaw can be leveraged by an unauthenticated attacker to deliver malicious scripts to unsuspecting users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Shoe Store

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Online Shoe Store

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Online Shoe Store to the latest patched version provided by code‑projects.
If an update is not available, ensure that the product_name parameter is properly validated and sanitized to prevent script injection.
Configure web application firewalls or input filtering rules to block script payloads on the admin_football.php endpoint.
Monitor user activity for signs of XSS exploitation, such as unexpected script execution or session hijacking.

Generated by OpenCVE AI on April 9, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://code-projects.org/
https://github.com/lonelyuan/vunls/issues/4
https://vuldb.com/submit/788340
https://vuldb.com/vuln/356291
https://vuldb.com/vuln/356291/cti

History

Thu, 09 Apr 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Executing a manipulation of the argument product_name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title		code-projects Online Shoe Store admin_football.php cross site scripting
First Time appeared		Code-projects Code-projects online Shoe Store
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:code-projects:online_shoe_store::::::::
Vendors & Products		Code-projects Code-projects online Shoe Store
References		https://code-projects.org/ https://github.com/lonelyuan/vunls/issues/4 https://vuldb.com/submit/788340 https://vuldb.com/vuln/356291 https://vuldb.com/vuln/356291/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Shoe Store

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-09T02:45:10.553Z

Updated: 2026-04-09T02:45:10.553Z

Reserved: 2026-04-08T17:26:34.978Z

Link: CVE-2026-5835

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T04:17:23.160

Modified: 2026-04-09T04:17:23.160

Link: CVE-2026-5835

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object