CVE Catalog

CVE-2026-14767

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

11th percentile — higher than 11% of all known CVEs

Summary

A SQL injection vulnerability has been discovered in CodeAstro Ecommerce Website 1.0 in the file /ecommerce-website-php/customer/confirm.php. An attacker can remotely manipulate the invoice_no parameter, leading to unauthorized database access. The exploit has been publicly released, increasing the risk of attacks.

Risk Assessment

The risk includes potential theft of customer data, modification of database contents, and possible application takeover. The public exploit makes it easier for unauthorized individuals to conduct attacks.

Recommendation

Immediately update the application to the latest version or apply a security patch to prevent SQL injection. Additionally, validate and sanitize all input data for the invoice_no parameter.

Original NVD description (English source)

A security flaw has been discovered in CodeAstro Ecommerce Website 1.0. This affects an unknown part of the file /ecommerce-website-php/customer/confirm.php of the component POST Parameter Handler. The manipulation of the argument invoice_no results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS