npm package
@evershop/evershop
pkg:npm/%40evershop/evershop
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67427 | — | <= 2.1.0 | — | Jan 5, 2026 | A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, w | ||
| CVE-2025-67419 | — | <= 2.1.0 | — | Jan 5, 2026 | A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tile | ||
| CVE-2025-12919 | Low | 3.7 | <= 2.1.0 | — | Nov 9, 2025 | A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The | |
| CVE-2023-46943 | — | < 1.0.0-rc.9 | 1.0.0-rc.9 | Jan 13, 2024 | An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), all | ||
| CVE-2023-46942 | — | < 1.0.0-rc.9 | 1.0.0-rc.9 | Jan 13, 2024 | Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. | ||
| CVE-2023-46499 | — | < 1.0.0-rc.5 | 1.0.0-rc.5 | Dec 8, 2023 | Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel. | ||
| CVE-2023-46498 | — | < 1.0.0-rc.8 | 1.0.0-rc.8 | Dec 8, 2023 | An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file. | ||
| CVE-2023-46497 | — | < 1.0.0-rc.8 | 1.0.0-rc.8 | Dec 8, 2023 | Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint. | ||
| CVE-2023-46496 | — | < 1.0.0-rc.8 | 1.0.0-rc.8 | Dec 8, 2023 | Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint. | ||
| CVE-2023-46495 | — | < 1.0.0-rc.8 | 1.0.0-rc.8 | Dec 8, 2023 | Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter. | ||
| CVE-2023-46494 | — | < 1.0.0-rc.5 | 1.0.0-rc.5 | Dec 8, 2023 | Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx. | ||
| CVE-2023-46493 | — | < 1.0.0-rc.8 | 1.0.0-rc.8 | Dec 8, 2023 | Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js. |
- CVE-2025-67427Jan 5, 2026affected <= 2.1.0
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, w
- CVE-2025-67419Jan 5, 2026affected <= 2.1.0
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tile
- affected <= 2.1.0
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The
- CVE-2023-46943Jan 13, 2024affected < 1.0.0-rc.9fixed 1.0.0-rc.9
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), all
- CVE-2023-46942Jan 13, 2024affected < 1.0.0-rc.9fixed 1.0.0-rc.9
Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints.
- CVE-2023-46499Dec 8, 2023affected < 1.0.0-rc.5fixed 1.0.0-rc.5
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.
- CVE-2023-46498Dec 8, 2023affected < 1.0.0-rc.8fixed 1.0.0-rc.8
An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.
- CVE-2023-46497Dec 8, 2023affected < 1.0.0-rc.8fixed 1.0.0-rc.8
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.
- CVE-2023-46496Dec 8, 2023affected < 1.0.0-rc.8fixed 1.0.0-rc.8
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.
- CVE-2023-46495Dec 8, 2023affected < 1.0.0-rc.8fixed 1.0.0-rc.8
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
- CVE-2023-46494Dec 8, 2023affected < 1.0.0-rc.5fixed 1.0.0-rc.5
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
- CVE-2023-46493Dec 8, 2023affected < 1.0.0-rc.8fixed 1.0.0-rc.8
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.