<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ecommerce-CodeIgniter-Bootstrap (&lt;= 222ff31c06687b1c6d0e1ab63953f82c3674c52b) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ecommerce-codeigniter-bootstrap--222ff31c06687b1c6d0e1ab63953f82c3674c52b/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 04 Jul 2026 17:19:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ecommerce-codeigniter-bootstrap--222ff31c06687b1c6d0e1ab63953f82c3674c52b/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14635: Path Traversal in kirilkirkov Ecommerce-CodeIgniter-Bootstrap</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14635-path-traversal/</link><pubDate>Sat, 04 Jul 2026 17:19:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14635-path-traversal/</guid><description>A high-severity path traversal vulnerability (CVE-2026-14635) has been identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap versions up to commit 222ff31c066, allowing remote attackers to access or modify arbitrary files by manipulating the 'folder' argument in the Vendor Multi-Image Endpoint, with a public exploit available.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, CVE-2026-14635, has been publicly disclosed and is actively exploitable in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to commit 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This flaw specifically impacts the Vendor Multi-Image Endpoint, residing in the <code>application/modules/vendor/controllers/AddProduct.php</code> file. Remote attackers can leverage this vulnerability by manipulating the 'folder' argument within HTTP requests, allowing them to traverse directory structures and potentially access or modify arbitrary files outside the intended web root. The lack of traditional versioning due to the product's rolling release model means all installations prior to the patch commit are affected. A public exploit has been released, significantly increasing the risk of widespread exploitation. Defenders must prioritize applying patch <code>2a9497ff11f36e573ad99e1c357ff0e6ded49745</code> to mitigate this severe risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker identifies an internet-facing instance of kirilkirkov Ecommerce-CodeIgniter-Bootstrap.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the vulnerable <code>application/modules/vendor/controllers/AddProduct.php</code> endpoint.</li>
<li>The request includes a specially crafted <code>folder</code> argument containing directory traversal sequences, such as <code>../../../../</code> or its URL-encoded variants.</li>
<li>The <code>AddProduct.php</code> component processes the <code>folder</code> argument without proper sanitization or validation of the input path.</li>
<li>The application attempts to access, create, or modify a file at a location outside its intended directory, dictated by the attacker's manipulated <code>folder</code> argument.</li>
<li>The attacker successfully gains unauthorized access to sensitive system files (e.g., <code>/etc/passwd</code>, configuration files), or writes malicious content like web shells to accessible directories.</li>
<li>If a web shell is successfully deployed, the attacker can achieve remote code execution and further compromise the underlying server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-14635 can lead to severe consequences, including unauthorized access to sensitive system files, configuration files, and potentially user data. Attackers could also write malicious web shells to the server, leading to full remote code execution and complete system compromise. The availability of a public exploit significantly increases the likelihood of opportunistic attacks targeting vulnerable instances. Organizations failing to patch face data breaches, system defacement, or complete loss of control over their web application and underlying server infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-14635 immediately by applying commit <code>2a9497ff11f36e573ad99e1c357ff0e6ded49745</code> to your kirilkirkov Ecommerce-CodeIgniter-Bootstrap installation.</li>
<li>Deploy the Sigma rule provided in this brief to your web server logs (category: webserver) to detect exploitation attempts.</li>
<li>Ensure comprehensive web server access logging is enabled to capture full HTTP request details, including URI path and query strings, for improved detection and forensic analysis.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>web-application</category><category>codeigniter</category><category>cve</category></item></channel></rss>