CVE Catalog

CVE-2026-14635

HighCVSS 7.3
Published: Translated: NVD NIST

Summary

A path traversal vulnerability has been discovered in Ecommerce-CodeIgniter-Bootstrap up to commit 222ff31c06687b1c6d0e1ab63953f82c3674c52b, specifically in the AddProduct.php file of the Vendor Multi-Image Endpoint. An attacker can remotely manipulate the folder argument, leading to unauthorized file access. The exploit has been publicly released and may be used in attacks.

Risk Assessment

The risk involves potential remote read or write access to files outside the intended directory, which could lead to data leakage, configuration modification, or application compromise.

Recommendation

Apply the patch identified as 2a9497ff11f36e573ad99e1c357ff0e6ded49745 immediately. Since the project uses a rolling release model, update to the latest commit in the repository to remediate the vulnerability.

Original NVD description (English source)

A security flaw has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This issue affects some unknown processing of the file application/modules/vendor/controllers/AddProduct.php of the component Vendor Multi-Image Endpoint. Performing a manipulation of the argument folder results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 2a9497ff11f36e573ad99e1c357ff0e6ded49745. Applying a patch is the recommended action to fix this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS