CVE-2025-40627

Name of the Vulnerable Software and Affected Versions AbanteCart version 1.4.0

Description A Reflected Cross-Site Scripting (XSS) issue allows an attacker to execute JavaScript code in a victim's browser by sending a malicious URL. This can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through the "/eyes? API endpoint with a malicious XSS PAYLOAD.

Recommendations For AbanteCart version 1.4.0, as a temporary workaround, consider restricting access to the "/eyes? API endpoint until a patch is available. Avoid using this endpoint with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.