Platform
php
Component
code-projects-online-shoe-store
Fixed in
1.0.1
CVE-2026-5835 describes a cross-site scripting (XSS) vulnerability discovered in code-projects Online Shoe Store versions 1.0.0 through 1.0. This flaw resides within the /admin/adminfootball.php file and allows attackers to inject malicious scripts by manipulating the productname parameter. The vulnerability is remotely exploitable and a public exploit is available, posing a potential risk to administrators and users of the system. A fix is expected to be released by the vendor.
Successful exploitation of CVE-2026-5835 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and theft of sensitive information like user credentials or order details. Given the location of the vulnerable file (/admin/admin_football.php), the primary impact is on administrative users, who could be tricked into performing actions they wouldn't otherwise, such as revealing their login credentials or installing malware. The potential blast radius extends to any user whose session is hijacked, allowing attackers to access their accounts and potentially perform fraudulent transactions.
A public proof-of-concept (PoC) for CVE-2026-5835 has been published, indicating a relatively high likelihood of exploitation. The vulnerability has been added to the NVD database on 2026-04-09. The CVSS score of 2.4 (LOW) suggests that while the vulnerability exists, the ease of exploitation and potential impact are relatively limited. No KEV listing or active exploitation campaigns have been reported as of this time.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5835 is to upgrade to a patched version of code-projects Online Shoe Store as soon as it becomes available. In the interim, implement a Web Application Firewall (WAF) rule to filter out malicious input in the productname parameter of the /admin/adminfootball.php endpoint. Additionally, enforce strict input sanitization and output encoding on all user-supplied data to prevent XSS attacks. Regularly review and update security configurations to minimize the attack surface. After upgrade, confirm by attempting to inject a simple XSS payload into the product_name parameter and verifying that it is properly sanitized.
Update the 'code-projects Online Shoe Store' plugin to the latest available version to mitigate the XSS vulnerability in the admin_football.php file. Check the plugin's official sources for update instructions and security patches. Implement proper validation and escaping for the 'product_name' user input to prevent future XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5835 is a cross-site scripting (XSS) vulnerability in code-projects Online Shoe Store versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the productname parameter in /admin/adminfootball.php.
You are affected if you are running code-projects Online Shoe Store version 1.0.0–1.0 and have not yet applied a patch or implemented mitigating controls.
Upgrade to a patched version of code-projects Online Shoe Store as soon as it is available. Until then, implement a WAF rule and strict input sanitization.
A public proof-of-concept exists, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the code-projects website or security mailing list for the official advisory regarding CVE-2026-5835.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.