Skip to main content

ecommerceFlask EUVDEUVD-2026-41813

| CVE-2026-14800 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-06 VulDB GHSA-p382-hpg8-f9gw
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-delivered CSRF requiring victim click (UI:R, PR:N); impact is integrity-only and limited to victim's own session scope (S:U, I:L, C:N, A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Jul 06, 2026 - 08:22 NVD
MEDIUM LOW
CVSS changed
Jul 06, 2026 - 08:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 06, 2026 - 07:56 vuln.today

DescriptionCVE.org

A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site request forgery in imhamzaazam ecommerceFlask allows a remote, unauthenticated attacker to induce authenticated victims into executing unauthorized state-changing actions against the application. The vulnerability exists in an unspecified function of the Flask-based e-commerce application up to commit cb7d9e24c30a99379651b7493b32048126ef402b, with no patch released and the project maintainer not yet responding. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host forged HTML form on attacker-controlled page
Delivery
Deliver phishing link to authenticated ecommerceFlask user
Exploit
Victim browser loads attacker page with active session
Execution
Browser auto-submits forged request with victim session cookies
Impact
ecommerceFlask processes unauthorized state-changing action

Vulnerability AssessmentAI

Exploitation The victim must have an active authenticated session with the ecommerceFlask application at the time of exploitation, as CSRF leverages the victim's own credentials - an unauthenticated victim has no session to abuse. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) accurately reflects a limited but real-world applicable risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious webpage containing a hidden HTML form that submits a forged POST request to the ecommerceFlask application - for example, modifying an order, changing account details, or triggering a transaction. When an authenticated ecommerceFlask user visits the attacker's page (via a phishing link or injected advertisement), the victim's browser automatically sends the request with valid session cookies, causing the server to process the unauthorized action. …
Remediation No vendor-released patch has been identified at time of analysis - the project maintainer has not responded to the responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy