Skip to main content

Evershop

5 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-28213 CRITICAL Act Now

Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Information Disclosure Evershop
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25993 CRITICAL PATCH Act Now

SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.

SQLi Evershop
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-67427 npm MEDIUM This Month

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. [CVSS 6.5 MEDIUM]

SSRF Evershop
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67419 npm HIGH This Week

Evershop contains a vulnerability that allows attackers to exhaust the application server's resources via the "GET /images" API (CVSS 7.5).

Denial Of Service Evershop
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65844 HIGH POC This Week

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

File Upload Evershop
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28213
EPSS 0% CVSS 9.8
CRITICAL Act Now

Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Information Disclosure Evershop
NVD GitHub
CVE-2026-25993
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.

SQLi Evershop
NVD GitHub
CVE-2025-67427 npm
EPSS 0% CVSS 6.5
MEDIUM This Month

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. [CVSS 6.5 MEDIUM]

SSRF Evershop
NVD GitHub
CVE-2025-67419 npm
EPSS 0% CVSS 7.5
HIGH This Week

Evershop contains a vulnerability that allows attackers to exhaust the application server's resources via the "GET /images" API (CVSS 7.5).

Denial Of Service Evershop
NVD GitHub
CVE-2025-65844
EPSS 0% CVSS 7.5
HIGH POC This Week

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

File Upload Evershop
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy