CVE-2026-14635 (GCVE-0-2026-14635)
Vulnerability from cvelistv5 – Published: 2026-07-04 16:30 – Updated: 2026-07-04 16:30 X_Open Source
VLAI
Title
kirilkirkov Ecommerce-CodeIgniter-Bootstrap Vendor Multi-Image Endpoint AddProduct.php path traversal
Summary
A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue.
Severity
CWE
- CWE-22 - Path Traversal
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376150 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376150/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14635 | third-party-advisory |
| https://vuldb.com/submit/845906 | third-party-advisory |
| https://github.com/kirilkirkov/Ecommerce-CodeIgni… | exploit |
| https://github.com/kirilkirkov/Ecommerce-CodeIgni… | patch |
| https://github.com/kirilkirkov/Ecommerce-CodeIgni… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| kirilkirkov | Ecommerce-CodeIgniter-Bootstrap |
Affected:
222ff31c06687b1c6d0e1ab63953f82c3674c52b
cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:*"
],
"modules": [
"Vendor Multi-Image Endpoint"
],
"product": "Ecommerce-CodeIgniter-Bootstrap",
"vendor": "kirilkirkov",
"versions": [
{
"status": "affected",
"version": "222ff31c06687b1c6d0e1ab63953f82c3674c52b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T16:30:08.679Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376150 | kirilkirkov Ecommerce-CodeIgniter-Bootstrap Vendor Multi-Image Endpoint AddProduct.php path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376150"
},
{
"name": "VDB-376150 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376150/cti"
},
{
"name": "CVE-2026-14635 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14635"
},
{
"name": "Submit #845906 | kirilkirkov Ecommerce-CodeIgniter-Bootstrap master Path Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/845906"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-6whv-r5hm-vcjr"
},
{
"tags": [
"patch"
],
"url": "https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/2a9497ff11f36e573ad99e1c357ff0e6ded49745"
},
{
"tags": [
"product"
],
"url": "https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-03T19:29:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "kirilkirkov Ecommerce-CodeIgniter-Bootstrap Vendor Multi-Image Endpoint AddProduct.php path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14635",
"datePublished": "2026-07-04T16:30:08.679Z",
"dateReserved": "2026-07-03T17:24:31.004Z",
"dateUpdated": "2026-07-04T16:30:08.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-14635",
"date": "2026-07-05",
"epss": "0.00437",
"percentile": "0.35154"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-14635\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2026-07-04T17:16:48.780\",\"lastModified\":\"2026-07-04T17:16:48.780\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue.\"}],\"affected\":[{\"source\":\"cna@vuldb.com\",\"affectedData\":[{\"vendor\":\"kirilkirkov\",\"product\":\"Ecommerce-CodeIgniter-Bootstrap\",\"cpes\":[\"cpe:2.3:a:kirilkirkov:ecommerce-codeigniter-bootstrap:*:*:*:*:*:*:*:*\"],\"modules\":[\"Vendor Multi-Image Endpoint\"],\"versions\":[{\"version\":\"222ff31c06687b1c6d0e1ab63953f82c3674c52b\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/2a9497ff11f36e573ad99e1c357ff0e6ded49745\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-6whv-r5hm-vcjr\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/cve/CVE-2026-14635\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/submit/845906\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/vuln/376150\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/vuln/376150/cti\",\"source\":\"cna@vuldb.com\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…