Skip to main content

Shopizer CVE-2026-36767

| EUVDEUVD-2026-26401 CRITICAL
Path Traversal (CWE-22)
2026-04-30 cve@mitre.org GHSA-f5w4-7ccj-5m75
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 19:31 vuln.today
CVSS changed
Apr 30, 2026 - 18:22 NVD
10.0 (CRITICAL)
EUVD ID Assigned
Apr 30, 2026 - 17:22 euvd
EUVD-2026-26401
Analysis Generated
Apr 30, 2026 - 17:22 vuln.today
CVE Published
Apr 30, 2026 - 17:16 nvd
CRITICAL 10.0

DescriptionCVE.org

A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.

AnalysisAI

Unauthenticated remote file write in Shopizer v3.2.5 allows attackers to upload arbitrary files to any writable system path via path traversal in the /content/images/add endpoint. With CVSS 10.0 and network-based exploitation requiring no authentication or user interaction, this enables immediate remote code execution by uploading malicious executables or web shells. No public exploit confirmed at time of analysis, though the attack vector is straightforward for a path traversal vulnerability. EPSS data not available, but the technical characteristics (AV:N/PR:N/AC:L) indicate high exploitability once details become widely known.

Technical ContextAI

This is a CWE-22 (Path Traversal) vulnerability in Shopizer's image upload functionality. Shopizer is an open-source Java-based e-commerce platform. The /content/images/add endpoint fails to properly sanitize user-supplied file paths in POST requests, allowing directory traversal sequences (../ or absolute paths) to escape the intended upload directory. Combined with no authentication requirement (PR:N), attackers can leverage this to write files anywhere the application process has write permissions, including web-accessible directories for shell upload or system directories for privilege escalation. The scope change (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component's security scope.

RemediationAI

Upgrade Shopizer immediately to a patched version when released - monitor GitHub issue #1091 at https://github.com/shopizer-ecommerce/shopizer/issues/1091 for vendor patch announcements. Until a fix is available, implement emergency compensating controls: (1) disable or remove the /content/images/add endpoint entirely if image upload functionality is non-critical (requires code modification and redeployment, breaks admin image management); (2) implement web application firewall rules to block POST requests to /content/images/add containing traversal sequences like ../, ..\ , or absolute paths (may cause false positives with legitimate filenames containing periods); (3) restrict network access to the administrative interface to trusted IP ranges only via firewall or reverse proxy ACLs (limits usability for distributed admin teams). All compensating controls have operational trade-offs and should be considered temporary until vendor patch is applied.

Share

CVE-2026-36767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy