Description
A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file /admin/productedit.php. The manipulation of the argument productName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Published: 2026-05-24
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote web attacker can manipulate the productName parameter in /admin/productedit.php in SourceCodester SUP Online Shopping 1.0. This triggers a reflected cross‑site scripting vulnerability that would allow malicious JavaScript to execute in the victim’s browser. The flaw is exploitable through HTTP requests to the administrative interface.

Affected Systems

Only SourceCodester SUP Online Shopping version 1.0 is known to contain the vulnerable productedit.php script. No other product or version data is supplied.

Risk and Exploitability

The CVSS score of 4.8 describes moderate severity, EPSS data is not available and KEV is not listed. The public exploit is documented and the attack can be launched remotely via HTTP requests. The likely entry point is the product edit form in the administrative interface, where a crafted productName value is reflected back without proper encoding.

Generated by OpenCVE AI on May 24, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch or upgrade SourceCodester SUP Online Shopping to a version that removes the unescaped productName handling.
  • Implement strict input validation or output encoding for the productName field in productedit.php to satisfy CWE-79 requirements.
  • Deploy a Content‑Security‑Policy header or a Web Application Firewall rule that blocks malicious script injection on administrative pages.

Generated by OpenCVE AI on May 24, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file /admin/productedit.php. The manipulation of the argument productName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Title SourceCodester SUP Online Shopping productedit.php cross site scripting
First Time appeared Sourcecodester
Sourcecodester sup Online Shopping
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:sourcecodester:sup_online_shopping:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester sup Online Shopping
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Sup Online Shopping
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T11:00:13.202Z

Reserved: 2026-05-23T14:53:28.206Z

Link: CVE-2026-9377

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T13:30:15Z

Weaknesses