Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.
AnalysisAI
Unauthenticated remote file write in Shopizer v3.2.5 allows attackers to upload arbitrary files to any writable system path via path traversal in the /content/images/add endpoint. With CVSS 10.0 and network-based exploitation requiring no authentication or user interaction, this enables immediate remote code execution by uploading malicious executables or web shells. No public exploit confirmed at time of analysis, though the attack vector is straightforward for a path traversal vulnerability. EPSS data not available, but the technical characteristics (AV:N/PR:N/AC:L) indicate high exploitability once details become widely known.
Technical ContextAI
This is a CWE-22 (Path Traversal) vulnerability in Shopizer's image upload functionality. Shopizer is an open-source Java-based e-commerce platform. The /content/images/add endpoint fails to properly sanitize user-supplied file paths in POST requests, allowing directory traversal sequences (../ or absolute paths) to escape the intended upload directory. Combined with no authentication requirement (PR:N), attackers can leverage this to write files anywhere the application process has write permissions, including web-accessible directories for shell upload or system directories for privilege escalation. The scope change (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component's security scope.
RemediationAI
Upgrade Shopizer immediately to a patched version when released - monitor GitHub issue #1091 at https://github.com/shopizer-ecommerce/shopizer/issues/1091 for vendor patch announcements. Until a fix is available, implement emergency compensating controls: (1) disable or remove the /content/images/add endpoint entirely if image upload functionality is non-critical (requires code modification and redeployment, breaks admin image management); (2) implement web application firewall rules to block POST requests to /content/images/add containing traversal sequences like ../, ..\ , or absolute paths (may cause false positives with legitimate filenames containing periods); (3) restrict network access to the administrative interface to trusted IP ranges only via firewall or reverse proxy ACLs (limits usability for distributed admin teams). All compensating controls have operational trade-offs and should be considered temporary until vendor patch is applied.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26401
GHSA-f5w4-7ccj-5m75