CVE-2026-14632 in Ecommerce-CodeIgniter-Bootstrap
Summary
by MITRE • 07/04/2026
A vulnerability was found in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 95dfa8cebbb87ab46ae450643a07241274a74dce. Affected by this issue is the function setReferrer of the file application/core/MY_Controller.php of the component Trusted Backend Interface. The manipulation of the argument href results in open redirect. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 213babdbaa949e94557246414db0130e01394517. A patch should be applied to remediate this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability exists within the kirilkirkov Ecommerce-CodeIgniter-Bootstrap platform, specifically in the Trusted Backend Interface component located at application/core/MY_Controller.php. The flaw resides in the setReferrer function where improper input validation allows attackers to manipulate the href argument, creating an open redirect condition that can be exploited remotely. The vulnerability affects versions up to commit 95dfa8cebbb87ab46ae450643a07241274a74dce and has been confirmed as publicly exploitable with available proof-of-concept code. The rolling release implementation used by this product complicates version tracking and makes it difficult to definitively identify affected releases, though the patch is identified at commit 213babdbaa949e94557246414db0130e01394517.
The technical nature of this vulnerability aligns with CWE-601 Open Redirect and falls under the ATT&CK technique T1190 Exploit Public-Facing Application, as it represents a web application security flaw that can be leveraged by remote attackers. The open redirect occurs when user-supplied input from the href parameter is not properly validated or sanitized before being used to construct redirection URLs. This allows an attacker to craft malicious links that redirect users to arbitrary external domains, potentially enabling phishing attacks, credential theft, or malware distribution. The vulnerability's remote execution capability means no local access or user interaction beyond visiting a malicious link is required for exploitation.
The operational impact of this vulnerability is significant as it creates an attack vector that can be used to deceive users into visiting malicious websites while appearing to come from a trusted source within the ecommerce platform. Attackers could exploit this flaw to redirect users to phishing pages designed to capture login credentials or personal information, or to deliver malware through legitimate-looking redirects. The public availability of exploit code increases the likelihood of successful exploitation across a wide range of potentially affected installations. Organizations using this platform may experience compromised user trust, potential data breaches, and reputational damage from successful phishing campaigns leveraging the open redirect.
Mitigation strategies should focus on immediate patch application to the identified commit 213babdbaa949e94557246414db0130e01394517 which addresses the input validation issue in the setReferrer function. Organizations should also implement additional security measures including input sanitization for all user-supplied parameters, implementation of strict URL validation that only allows redirection to known good domains, and network-level filtering to prevent access to suspicious external domains. Regular security auditing of web applications should include validation of redirect mechanisms and adherence to secure coding practices as outlined in OWASP Top Ten and NIST Cybersecurity Framework guidelines. Additionally, implementing content security policies and monitoring for anomalous redirection patterns can help detect potential exploitation attempts.