Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap
CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap
SECURITYHIGHCVE-2026-14635

CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap

A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload arbitrary PHP files, enabling remote code execution on the hosting server.

Dylan H.

Security Team

July 5, 2026
3 min read

Affected Products

  • kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (up to commit 222ff31c06)
  • AddProduct.php — Vendor Multi-Image Endpoint
  • CodeIgniter-based PHP ecommerce applications

Executive Summary

CVE-2026-14635 is a high-severity unrestricted file upload vulnerability affecting the open-source kirilkirkov/Ecommerce-CodeIgniter-Bootstrap project. The flaw exists in the vendor product management endpoint (AddProduct.php) and allows an authenticated vendor user to upload a PHP webshell disguised as an image, achieving remote code execution on the web server.

CVSS Score: 7.3 (High)

Operators running this ecommerce framework should treat this as urgent — vendor account registration is often publicly accessible, meaning an attacker can self-register before exploiting the flaw.


Vulnerability Overview

Root Cause

The multi-image upload endpoint in application/modules/vendor/controllers/AddProduct.php accepts file uploads without validating the true MIME type or enforcing a safe allowlist of extensions. The application relies on client-supplied Content-Type headers and filename extensions, both of which can be trivially spoofed.

Attack Surface

ComponentDetail
EndpointPOST /vendor/addproduct (multi-image parameter)
Auth RequiredVendor account (self-registrable in most deployments)
File StoredPublicly accessible upload directory
ImpactRCE as the web server process (www-data or equivalent)

Attack Chain

1. Attacker registers or compromises a vendor account
2. Navigates to Add Product and uploads PHP webshell as "image"
3. Server accepts file — no MIME validation performed
4. Attacker requests the uploaded file URL directly
5. PHP interpreter executes the shell on the server
6. Full remote code execution achieved

Technical Details

Affected Code Path

The vulnerability is in the multi-image handling logic:

application/modules/vendor/controllers/AddProduct.php

The upload helper accepts any file matching basic image extension patterns but does not:

  • Validate actual file content / magic bytes
  • Strip or reject PHP-interpretable extensions (.php, .php5, .phtml, etc.)
  • Restrict execution of files in the upload directory

Proof of Concept (Redacted)

A minimal exploit involves:

  1. Crafting a POST request with Content-Type: multipart/form-data
  2. Including a file field with extension .php (or a double extension like .php.jpg if filtered)
  3. File content: minimal PHP webshell

Actual exploit payloads are available on public exploit databases; patch immediately.


Affected Versions

CommitStatus
Up to 222ff31c06687b1c6d0e1ab63953f82c3674c52bVulnerable
No patched release published at time of disclosureCheck upstream

Remediation

Immediate Steps

1. Validate file type server-side using magic bytes (not extension or Content-Type):

// Use PHP's finfo to validate real MIME type
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mime = $finfo->file($_FILES['image']['tmp_name']);
$allowed = ['image/jpeg', 'image/png', 'image/gif', 'image/webp'];
if (!in_array($mime, $allowed)) {
    show_error('Invalid file type.');
}

2. Enforce safe extension allowlist and rename on save:

// Rename uploaded file to UUID + safe extension
$ext = 'jpg'; // determined from validated MIME only
$newname = bin2hex(random_bytes(16)) . '.' . $ext;

3. Disable PHP execution in upload directories (.htaccess):

<Directory /path/to/uploads>
    php_flag engine off
    Options -ExecCGI
    AddType text/plain .php .php5 .phtml .phar
</Directory>

4. Move upload storage out of the web root if possible.


Detection

Log Analysis

Look for POST requests to vendor product upload endpoints followed by GET requests to upload directories with .php extensions:

grep -E "POST.*addproduct" /var/log/apache2/access.log
grep -E "GET.*/uploads/.*\.php" /var/log/apache2/access.log

File System Audit

# Find PHP files in upload directories
find /var/www/html/uploads -name "*.php" -o -name "*.phtml" -o -name "*.phar" 2>/dev/null

References

  • NVD — CVE-2026-14635
  • kirilkirkov/Ecommerce-CodeIgniter-Bootstrap
  • OWASP — Unrestricted File Upload

Related Reading

  • CVE-2026-14637: PHP Deserialization RCE in CodeIgniter Ecommerce Bootstrap
  • CVE-2026-14641: SQL Injection in SourceCodester Timetabling System
#CVE#File Upload#RCE#PHP#CodeIgniter#Ecommerce#High

Related Articles

CVE-2026-14637: PHP Deserialization RCE in CodeIgniter Ecommerce Bootstrap Shopping Cart

A high-severity PHP deserialization vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows attackers to inject malicious serialized objects via the shopping_cart cookie, achieving arbitrary code execution through PHP object injection.

4 min read

CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the full database by manipulating the ID parameter in edit_course.php. A public exploit PoC is available.

4 min read

CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully compromise the database via the ID parameter in edit_class2.php. A public exploit PoC has been published.

5 min read
Back to all Security Alerts