Description
A vulnerability has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_product.php. The manipulation of the argument product_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-09
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting
Action: Apply patch
AI Analysis

Impact

A flaw in the /admin/admin_product.php page of the code‑projects Online Shoe Store allows an attacker to control the product_name parameter and inject arbitrary JavaScript. The injected script runs in the web browser of anyone who views the page, which can lead to session hijacking, defacement, or phishing attempts. The weakness is a classic cross‑site scripting (CWE‑79) vulnerability and may also enable code injection via the same input field (CWE‑94).

Affected Systems

The affected product is code‑projects Online Shoe Store version 1.0. The vulnerability exists in the admin_product.php component and no other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attack can be initiated remotely by sending an HTTP request to the vulnerable endpoint; an attacker does not need local or privileged access, although the page is part of an admin interface. Exploitation requires only the ability to inject a payload such as ?product_name=<script>alert(1)</script> into the request.

Generated by OpenCVE AI on April 9, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a vendor‑supplied patch or newer release is available, upgrade to that version immediately.
  • If an update is not yet available, apply input validation and output encoding to the product_name field in /admin/admin_product.php to neutralise injected code.
  • Ensure that only authenticated administrators can access the admin interface and that session handling is secure; monitor access logs for anomalous requests to the admin pages.

Generated by OpenCVE AI on April 9, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_product.php. The manipulation of the argument product_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Online Shoe Store admin_product.php cross site scripting
First Time appeared Code-projects
Code-projects online Shoe Store
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:online_shoe_store:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Shoe Store
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Shoe Store
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T03:00:20.635Z

Reserved: 2026-04-08T17:26:38.610Z

Link: CVE-2026-5836

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T04:17:23.400

Modified: 2026-04-09T04:17:23.400

Link: CVE-2026-5836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:07Z

Weaknesses