🚨 BREAKING

CVE-2026-2347: Critical Authorization Bypass in Akilli E-Commerce Website

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-639
CVE-2026-2347: Critical Authorization Bypass in Akilli E-Commerce Website

The National Vulnerability Database has disclosed CVE-2026-2347, a critical authorization bypass vulnerability impacting Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website versions prior to 4.5.001. This flaw, carrying a CVSS score of 9.8, enables session hijacking through a user-controlled key, allowing unauthenticated attackers to potentially seize control of user sessions.

This vulnerability is straightforward to exploit (Attack Vector: Network, Complexity: Low) and requires no user interaction or privileges. An attacker can leverage this to fully compromise confidentiality, integrity, and availability, effectively taking over user accounts and sensitive operations within affected e-commerce platforms. The attacker’s calculus here is simple: target widely deployed, unpatched e-commerce sites to gain unauthorized access to customer data, financial information, or administrative controls.

For defenders, this is a red alert. The ease of exploitation coupled with the critical impact makes immediate patching non-negotiable. Any organization running Akilli E-Commerce Website needs to prioritize this update to prevent severe breaches and maintain customer trust. Session hijacking is a direct path to data theft and reputational damage.

What This Means For You

  • If your organization uses Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website, check your version immediately. Patch to version 4.5.001 or newer without delay. Audit your logs for any suspicious session activity or unauthorized access attempts prior to patching, as exploitation is trivial.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1539 Steal Web Session Cookie Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-2347: Akilli E-Commerce Authorization Bypass via User-Controlled Key

Sigma YAML — free preview 
title: CVE-2026-2347: Akilli E-Commerce Authorization Bypass via User-Controlled Key
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-2347 by targeting the '/account/edit' endpoint with a manipulated 'session_id' parameter, indicating an authorization bypass attempt. This is a critical vulnerability allowing session hijacking.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-2347/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/account/edit'
      cs-uri-query|contains:
          - 'session_id='
      sc-status:
          - 200
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-2347 Auth Bypass Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website
CVE-2026-2347 Auth Bypass E-Commerce Website before 4.5.001
CVE-2026-2347 Session Hijacking Authorization bypass through User-Controlled key

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 13:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2025-11024: Akilli E-Commerce Blind SQLi Critical Vulnerability

CVE-2025-11024 — Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows...

vulnerabilityCVEcriticalhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

WordPress InfusedWoo Pro Plugin Vulnerable to Arbitrary File Read (CVE-2026-6514)

CVE-2026-6514 — The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit....

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-918
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-6512: Critical Authorization Bypass in InfusedWoo Pro WordPress Plugin

CVE-2026-6512 — The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to...

vulnerabilityCVEcriticalhigh-severitycwe-862
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma