CVE-2026-38939

Vulnerability

Overview

A reflected Cross-Site Scripting (XSS) vulnerability exists in andrewtch88/mvc-ecommerce v1.0. The flaw is located in the query parameter of the /product_catalogue.php component. User-supplied input is reflected directly into the HTML response without proper sanitization or encoding, enabling an attacker to inject arbitrary JavaScript code [1].

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the query parameter. For example, visiting http://localhost/mvc-ecommerce/product_catalogue.php?query=w7ul4">jcmse causes the injected script to be reflected and executed in the victim's browser. No authentication is required, and the attack can be performed remotely by tricking a user into clicking the crafted link [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive information (e.g., cookies, tokens), or unauthorized actions performed on behalf of the victim. The CVSS v3 base score is 6.1 (Medium), reflecting the need for user interaction and the potential for information disclosure [1].

Mitigation

As of the publication date, no official patch has been released. The vendor should be applied. The vendor should implement proper input sanitization and context-aware output encoding for all user-controlled data before reflection. Users are advised to avoid clicking untrusted links and to monitor for updates from the repository [1].