CVE-2026-14633
MediumCVSS 4.3Summary
A cross-site scripting vulnerability was found in Ecommerce-CodeIgniter-Bootstrap up to commit 49b20f53 in the hidden REST API endpoint. Manipulating the title/description arguments in /index.php/api/product/set allows remote XSS attacks. The exploit has been publicly disclosed and may be used.
Risk Assessment
An attacker can inject malicious scripts, leading to session hijacking, account takeover, or website defacement. The risk is high due to the publicly available exploit and remote attack vector.
Recommendation
Immediately apply the patch named d9785f995da77bdc62fb2d34bad5f7a162c9ad23. Due to the rolling release model, update to the latest commit in the repository.
Original NVD description (English source)
A vulnerability was determined in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 49b20f53de2b7ec34e920b11c863f1491d911a04. This affects an unknown part of the file /index.php/api/product/set of the component Hidden REST API Endpoint. This manipulation of the argument title/description causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. Patch name: d9785f995da77bdc62fb2d34bad5f7a162c9ad23. To fix this issue, it is recommended to deploy a patch.

