PatchSiren cyber security CVE debrief
CVE-2026-9377 SourceCodester CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in SourceCodester SUP Online Shopping 1.0, specifically within the administrative product editing interface at /admin/productedit.php. The productName parameter lacks proper input sanitization, allowing authenticated administrators to inject malicious scripts. Successful exploitation requires high privileges (administrative access) and user interaction, significantly limiting the attack surface. The vulnerability was disclosed publicly on May 24, 2026, with subsequent modification on May 26, 2026. No active exploitation in ransomware campaigns has been confirmed, and the issue has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- SourceCodester
- Product
- SUP Online Shopping
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Organizations running SourceCodester SUP Online Shopping 1.0 with administrative interfaces exposed to multiple users should prioritize remediation to prevent session hijacking and privilege escalation scenarios. Security teams should incorporate this finding into web application security assessments and developer training programs emphasizing secure input handling practices.
Technical summary
The vulnerability resides in the administrative product editing functionality of SUP Online Shopping 1.0. The productName parameter in /admin/productedit.php fails to properly neutralize user-supplied input before rendering in the browser context. An attacker with administrative credentials can inject JavaScript payloads that execute in the context of other users' sessions. The CVSS 4.0 score of 1.9 reflects the high privilege requirement (PR:H) and user interaction dependency (UI:P), which constrain practical exploitability despite the low attack complexity and network accessibility.
Defensive priority
low
Recommended defensive actions
- Implement strict input validation and output encoding for the productName parameter in /admin/productedit.php
- Apply context-aware sanitization using established libraries such as OWASP Java Encoder or equivalent framework-specific solutions
- Review and remediate similar input handling patterns across administrative interfaces
- Consider implementing Content Security Policy headers to mitigate impact of successful XSS injection
- Monitor for unauthorized administrative access attempts that could enable exploitation of this vulnerability
Evidence notes
Vulnerability confirmed through Vuldb submission and GitHub issue reference. CVSS 4.0 vector indicates network attack vector with low attack complexity, but requires high privileges and user interaction. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) identified as primary weakness types. Vendor attribution remains uncertain with confidence marked as low; SourceCodester identified as reference domain candidate.
Official resources
2026-05-24T12:16:53.173Z