CVE-2026-14633 in Ecommerce-CodeIgniter-Bootstrap
Summary
by MITRE • 07/04/2026
A vulnerability was determined in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 49b20f53de2b7ec34e920b11c863f1491d911a04. This affects an unknown part of the file /index.php/api/product/set of the component Hidden REST API Endpoint. This manipulation of the argument title/description causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. Patch name: d9785f995da77bdc62fb2d34bad5f7a162c9ad23. To fix this issue, it is recommended to deploy a patch.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability exists within the kirilkirkov Ecommerce-CodeIgniter-Bootstrap web application framework where an insecure handling of user input in the REST API endpoint located at /index.php/api/product/set creates a cross-site scripting opportunity. The flaw specifically affects the title and description parameters within this hidden API component, allowing attackers to inject malicious scripts that execute in the context of other users' browsers. As a result of the rolling release strategy employed by this product, version tracking becomes challenging since updates occur continuously without fixed release versions, making it difficult to definitively identify which specific builds contain the vulnerability or have been patched.
The technical implementation flaw stems from inadequate input validation and output sanitization within the API endpoint's parameter processing logic. When user-supplied data flows through the title and description fields without proper escaping or encoding mechanisms, malicious payloads can be persisted and subsequently executed when other users view the affected content. This represents a classic cross-site scripting vulnerability where the attack vector operates through the web application's API interface rather than traditional user-facing pages. The vulnerability's classification aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation into a Web Browser, which is a fundamental weakness in web application security architecture.
The remote exploitation capability means that attackers can trigger this vulnerability from any location without requiring physical access or local network presence. The publicly disclosed exploit demonstrates that threat actors have already developed working methods to leverage this weakness, increasing the risk profile significantly. This exposure allows for various malicious activities including session hijacking, credential theft, defacement of the application content, and potential redirection to phishing sites. The hidden nature of the REST API endpoint adds additional complexity since it may not be properly protected by standard security controls that typically monitor user-facing interfaces.
Organizations utilizing this ecommerce framework must immediately implement the patch referenced as d9785f995da77bdc62fb2d34bad5f7a162c9ad23 to remediate the vulnerability. The recommended approach involves deploying the specific code changes that address input validation and output encoding within the affected API endpoint. Security teams should conduct comprehensive testing to ensure that all instances of similar vulnerabilities are identified and addressed throughout the application. Additionally, implementing proper access controls and monitoring for unauthorized API calls can help detect potential exploitation attempts. This vulnerability also highlights the importance of maintaining up-to-date security practices in rolling release environments where traditional version-based patch management becomes less effective. The ATT&CK framework would categorize this as a web application attack vector utilizing techniques such as command injection and credential access through compromised user sessions, emphasizing the need for layered defense strategies including input validation, output encoding, and continuous monitoring of API endpoints for suspicious activities.