Skip to main content

E-Commerce Website CVE-2026-2347

| EUVDEUVD-2026-30264 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 TR-CERT GHSA-q88p-27gr-q4g5
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 11:01 EUVD
Analysis Generated
May 14, 2026 - 10:15 vuln.today
CVE Published
May 14, 2026 - 09:25 nvd
CRITICAL 9.8

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking.

This issue affects E-Commerce Website: before 4.5.001.

AnalysisAI

Authorization bypass in Akilli Commerce E-Commerce Website before 4.5.001 allows remote unauthenticated attackers to hijack user sessions through user-controlled key manipulation. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. Turkish national CERT (TR-CERT) published an advisory, indicating regional significance. No public exploit code or CISA KEV listing identified at time of analysis, but the CVSS 9.8 Critical rating and network-accessible, unauthenticated attack vector suggest this is highly exploitable if the platform is internet-facing.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application incorrectly uses user-supplied input as a direct key to authorize access to resources or sessions. In e-commerce platforms, this typically manifests when session identifiers, user IDs, or authorization tokens in cookies, URL parameters, or POST data are not properly validated server-side. The application trusts client-controlled values to determine session ownership, allowing attackers to substitute their own identifiers with those of legitimate users. The affected product is Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website (CPE: cpe:2.3:a:akilli_commerce_software_technologies_ltd._co.:e-commerce_website), a Turkish e-commerce platform. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is a network-accessible vulnerability with low complexity requiring no privileges or user interaction, making it trivially exploitable once the vulnerable parameter is identified.

RemediationAI

Upgrade to Akilli Commerce E-Commerce Website version 4.5.001 or later, as confirmed by TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222). This is the primary and only confirmed fix. If immediate patching is not feasible, implement the following compensating controls with their trade-offs: Deploy a web application firewall (WAF) with custom rules to block suspicious session token patterns in requests (requires signature development and ongoing tuning; may cause false positives for legitimate session management). Implement additional server-side session validation tied to client IP address and User-Agent strings (reduces session hijacking success but breaks legitimate use cases where users change networks or browsers mid-session). Enable strict server-side session binding to prevent cross-session access attempts (most effective mitigation but requires code changes and testing). Restrict administrative and customer account access via VPN or IP allowlisting where operationally feasible (significantly limits exposure but impacts user experience and sales operations). Monitor authentication logs for anomalous session activity such as rapid session switches or geographically inconsistent access patterns (detection only, not prevention; requires SIEM integration and analyst review).

CVE-2021-25207 CRITICAL POC
9.8 Jul 23

Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary cod

CVE-2021-25205 CRITICAL POC
9.8 Jul 22

SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL

CVE-2024-8217 MEDIUM POC
6.9 Aug 27

A vulnerability has been found in SourceCodester E-Commerce Website 1.0 and classified as critical. Rated medium severit

CVE-2025-11024 CRITICAL
9.8 May 14

Remote unauthenticated SQL injection in Akilli Commerce Software Technologies E-Commerce Website before version 4.5.001

CVE-2025-6577 CRITICAL
9.8 May 12

SQL injection in Akilli Commerce E-Commerce Website versions before 4.5.001 allows remote unauthenticated attackers to e

CVE-2025-11513 MEDIUM POC
5.5 Oct 09

A vulnerability was determined in code-projects E-Commerce Website 1.0. This affects an unknown part of the file /pages/

CVE-2025-11596 MEDIUM POC
5.5 Oct 11

A vulnerability was determined in code-projects E-Commerce Website 1.0. The affected element is an unknown function of t

CVE-2025-11558 MEDIUM POC
5.5 Oct 09

A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/us

CVE-2025-11420 MEDIUM POC
5.5 Oct 08

A vulnerability was detected in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages

CVE-2022-27330 MEDIUM POC
5.4 May 03

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows atta

CVE-2021-25204 MEDIUM POC
5.4 Jul 23

Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject ar

CVE-2024-8139 MEDIUM POC
5.3 Aug 25

A vulnerability has been found in itsourcecode E-Commerce Website 1.0 and classified as critical. Rated medium severity

Share

CVE-2026-2347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy