How to fix EUVD-2025-200288?

Within 24 hours: Disable or restrict access to the /api/images endpoint via WAF rules or network access controls; audit logs for suspicious upload activity. Within 7 days: Implement strict file type validation, disable directory creation functionality, and enforce authentication on the endpoint. Within 30 days: Upgrade to patched version when available or migrate off EverShop 2.0.1; conduct forensic analysis for any uploaded malicious files.

Is Evershop affected by EUVD-2025-200288?

EverShop 2.0.1 contains a critical file upload vulnerability that allows unauthenticated attackers to upload malicious files and exhaust server storage without authentication.

EUVD-2025-200288

| CVE-2025-65844 HIGH

2025-12-02 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200288

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

PoC Detected

Dec 06, 2025 - 04:15 vuln.today

Public exploit code

CVE Published

Dec 02, 2025 - 18:15 nvd

HIGH 7.5

Description

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

Analysis

Technical Context

Unrestricted file upload allows attackers to upload malicious files (web shells, executables) that can then be executed on the server. This vulnerability is classified as Unrestricted Upload of File with Dangerous Type (CWE-434).

Affected Products

Affected products: Evershop Evershop 2.0.1

Remediation

Validate file types by content (magic bytes), not just extension. Store uploads outside the web root. Use random filenames. Scan uploads for malware.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: +20

EUVD-2025-200288 vulnerability details – vuln.today

Back

EUVD-2025-200288

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-200288

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code