CVE-2026-14635 in Ecommerce-CodeIgniter-Bootstrapinfo

Summary

by MITRE • 07/04/2026

A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability resides within the kirilkirkov Ecommerce-CodeIgniter-Bootstrap platform, specifically targeting the Vendor Multi-Image Endpoint functionality. The flaw manifests in the application/modules/vendor/controllers/AddProduct.php file where improper input validation occurs during folder parameter processing. This path traversal vulnerability allows attackers to manipulate the folder argument and navigate through the filesystem beyond intended boundaries. The security issue represents a critical weakness in the application's access control mechanisms and file handling procedures.

The technical exploitation of this vulnerability follows a classic path traversal attack pattern where malicious actors can manipulate directory paths to access restricted files or directories. The vulnerability is classified under CWE-23 as Path Traversal, which occurs when applications fail to properly sanitize user input before using it in file system operations. Attackers can leverage this weakness to perform remote code execution, data exfiltration, or system compromise by traversing the directory structure and accessing sensitive files that should remain protected.

The operational impact of this vulnerability is severe given its remote exploitability and the public availability of exploitation tools. The rolling release model employed by this ecommerce platform means that version information is not readily available for determining affected systems, complicating remediation efforts. Attackers can directly target the application without requiring physical access or local privileges, making this a particularly dangerous vulnerability in web applications. The continuous delivery approach may also mean that patches are frequently applied, potentially creating confusion about which versions contain the fix.

Security professionals should implement immediate mitigation strategies including applying the patch identified as 2a9497ff11f36e573ad99e1c357ff0e6ded49745. This patch should be applied to all instances of the affected software regardless of version number due to the rolling release methodology. Additional protective measures include implementing proper input validation, sanitizing all user-supplied data before file system operations, and restricting file upload capabilities to prevent malicious path manipulation. The vulnerability aligns with ATT&CK technique T1059.007 for Path Traversal and T1566 for Valid Accounts, as attackers may use this weakness to escalate privileges or access unauthorized resources within the application's file system.

Organizations should conduct comprehensive security assessments of their deployed instances to identify all potentially affected systems. The lack of specific version details due to the rolling release model necessitates thorough vulnerability scanning and code review processes. Network segmentation and web application firewalls can provide additional protection layers while permanent fixes are implemented. Regular monitoring for exploitation attempts and maintaining up-to-date threat intelligence regarding this specific vulnerability will help organizations respond effectively to any targeted attacks. The patch implementation should be verified through proper testing procedures to ensure that the fix does not introduce regressions in functionality while properly addressing the path traversal weakness.

Responsible

VulDB

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00437

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!