CVE-2026-2165
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Awaiting Analysis
Quick Summary
A vulnerability in the detronetdip E-commerce platform allows attackers to create seller accounts without proper authentication by manipulating the email field. This matters because it bypasses security checks and can be exploited remotely.
Who is affected
All users of detronetdip E-commerce version 1.0.0 are affected. An attacker could create unauthorized seller accounts to potentially list fraudulent products or gain further access to the system.
Recommended fix
Apply strict authentication and authorization checks on the /Admin/assets/backend/seller/add_seller.php endpoint. As no official patch exists, restrict network access to the admin panel and monitor for unauthorized account creation until a vendor update is available.
Technical Description
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-287, CWE-306