CVE-2026-2165
Published: 08 February 2026
Description
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be…
more
executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly mandates identification and limitation of user actions performable without authentication, preventing unauthorized access to critical functions like the seller account creation endpoint.
AC-3 enforces approved access authorizations, ensuring authentication checks are applied to the account creation endpoint to block unauthenticated manipulations.
AC-2 requires managed account creation processes with approval and authentication, mitigating unauthorized seller account provisioning via the vulnerable endpoint.
Security SummaryAI
CVE-2026-2165 is a missing authentication vulnerability affecting detronetdip E-commerce version 1.0.0. The issue resides in an unknown function within the file /Admin/assets/backend/seller/add_seller.php, part of the Account Creation Endpoint. By manipulating the 'email' argument, attackers can bypass authentication requirements, as classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges or user interaction required. Successful exploitation allows creation of seller accounts without proper authentication, potentially granting unauthorized access to administrative functions. This leads to low impacts on confidentiality, integrity, and availability, such as limited data exposure, account manipulation, or minor service disruption.
Advisories from VulDB (ctiid.344867 and id.344867) detail the issue, while the project's GitHub repository (detronetdip/E-commerce) shows an open issue report (#23) informing developers, but no response or patch has been issued. A public exploit is available in a separate GitHub repository (Nixon-H/Unauthenticated-Admin-Account-Creation), enabling immediate attack replication.
In context, the exploit's public availability heightens risk for deployments of detronetdip E-commerce 1.0.0, with no evidence of remediation as of the CVE publication on 2026-02-08.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication in a public-facing web application endpoint (T1190: Exploit Public-Facing Application), directly enabling unauthenticated remote account creation (T1136: Create Account) for seller/admin access.