Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component
AnalysisAI
Cross-site scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers and exfiltrate sensitive information through the product_catalogue.php component. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but affects all users due to stored or reflected XSS impact across site sessions. CVSS 6.1 reflects moderate risk with network-based attack vector and low complexity, though no active exploitation in CISA KEV has been confirmed at time of analysis.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in PHP-based e-commerce application logic. The product_catalogue.php component fails to properly sanitize or encode user-supplied input before rendering it in HTML context, allowing attackers to inject malicious JavaScript payloads. The affected product is andrewtch88's MVC (Model-View-Controller) e-commerce framework version 1.0, which appears to be a custom or lesser-known PHP e-commerce solution. CPE data is incomplete (marked as n/a), limiting precise software supply chain tracking, but the vulnerability is documented under ENISA EUVD-2026-26387.
RemediationAI
No vendor-released patch has been identified at time of analysis. The application's vendor (andrewtch88) should immediately implement input validation and output encoding in the product_catalogue.php component, specifically using PHP's htmlspecialchars() or equivalent context-aware encoding for all user-controlled data rendered in HTML contexts. As an immediate compensating control, disable or restrict access to product_catalogue.php via web application firewall (WAF) rules that block known XSS payloads (e.g., script tags, event handlers) until patches are available. Alternatively, if the e-commerce platform is not actively maintained, consider migrating to a supported, actively maintained e-commerce framework (Magento, WooCommerce, Shopify) that receives regular security updates. Each workaround trades functionality (blocked features or reduced usability) against security; migration eliminates long-term risk but requires development effort.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26387