Cross Site Scripting Vulnerability in Ecommerce-CodeIgniter-Bootstrap by Kiril Kirkov
CVE-2026-14634

5.3MEDIUM

Key Information:

Vendor
CVE Published:
4 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-14634?

A Cross Site Scripting vulnerability has been identified in the Ecommerce-CodeIgniter-Bootstrap, specifically affecting the Subscribed Emails Admin Page. The issue arises from improper handling of the User-Agent argument in the checkForPostRequests function located in application/core/MY_Controller.php. This flaw allows attackers to exploit the vulnerability remotely, with publicly accessible variants of the exploit available online. To mitigate this issue, it is crucial to apply the provided patch, 23105f25dadf57b4314fc015a63a7c6e910c89df, as version information for future updates is not disclosed due to the rolling release nature of the software.

Affected Version(s)

Ecommerce-CodeIgniter-Bootstrap 213babdbaa949e94557246414db0130e01394517

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

VulDB GitHub Commit Analyzer
.