VYPR
Unrated severityNVD Advisory· Published Oct 2, 2025· Updated Oct 2, 2025

CVE-2025-56161

CVE-2025-56161

Description

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • YOSHOP/YOSHOPcpe-rescue2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 2.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.