平台
php
组件
code-projects-online-shoe-store
修复版本
1.0.1
CVE-2026-5836 describes a cross-site scripting (XSS) vulnerability discovered in Online Shoe Store, version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the /admin/adminproduct.php file and is triggered by manipulating the productname parameter. A fix is available; upgrading to a patched version is crucial.
Successful exploitation of CVE-2026-5836 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Shoe Store application. This can lead to various malicious outcomes, including session hijacking, credential theft (e.g., stealing administrator login details), and defacement of the website. The attacker could potentially redirect users to phishing sites or inject malware. Given the administrative context of /admin/admin_product.php, a successful attack could grant the attacker control over product management and potentially other administrative functions.
CVE-2026-5836 has been publicly disclosed. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the public availability of the vulnerability increases the risk of exploitation. The CVSS score of 2.4 indicates a low severity, but the potential impact on sensitive data and administrative functions warrants prompt remediation. No KEV listing is currently available.
Administrators of Online Shoe Store installations, particularly those using version 1.0.0–1.0, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the compromise of others.
• php / server:
grep -r "admin_product.php" /var/www/html/• generic web:
curl -I http://your-online-shoe-store.com/admin/admin_product.php?product_name=<script>alert('XSS')</script>• generic web:
grep -A 10 "admin_product.php" /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-5836 is to upgrade to a patched version of Online Shoe Store. If upgrading immediately is not possible, consider implementing input validation and sanitization on the productname parameter within the /admin/adminproduct.php file. Specifically, implement strict whitelisting of allowed characters and escape any potentially malicious characters before rendering the input in the HTML output. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) into the product_name field and confirming that the script is not executed.
将 Online Shoe Store 插件更新到最新可用版本,因为 admin_product.php 文件中的此 XSS 漏洞允许执行恶意代码。 检查插件的来源并应用必要的安全补丁。 实施输入验证和转义措施以防止未来的 XSS 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-5836 is a cross-site scripting (XSS) vulnerability affecting Online Shoe Store versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the /admin/admin_product.php file.
You are affected if you are using Online Shoe Store version 1.0.0–1.0 and have not upgraded to a patched version. Check your installed version and apply the necessary updates.
The recommended fix is to upgrade to a patched version of Online Shoe Store. If immediate upgrade is not possible, implement input validation and sanitization on the product_name parameter.
While no confirmed active exploitation campaigns have been linked to this specific vulnerability, its public disclosure increases the risk of exploitation.
Please refer to the Online Shoe Store official website or security channels for the advisory related to CVE-2026-5836.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。