Innoshop
by Innocommerce
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-52921 | Cri | 0.64 | 9.9 | 0.00 | Jun 23, 2025 | In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the… | ||
| CVE-2025-52922 | Hig | 0.48 | 7.4 | 0.00 | Jun 23, 2025 | Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary… | ||
| CVE-2026-39250 | Hig | 0.47 | 7.3 | 0.00 | May 19, 2026 | An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations. | ||
| CVE-2025-52920 | Med | 0.42 | 6.4 | 0.00 | Jun 23, 2025 | Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their… | ||
| CVE-2026-7630 | Hig | 0.40 | 7.3 | 0.00 | May 2, 2026 | A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper… | ||
| CVE-2024-57277 | Med | 0.30 | 5.7 | 0.00 | Jan 24, 2025 | InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload. |
- risk 0.64cvss 9.9epss 0.00
In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the…
- risk 0.48cvss 7.4epss 0.00
Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary…
- risk 0.47cvss 7.3epss 0.00
An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.
- risk 0.42cvss 6.4epss 0.00
Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their…
- risk 0.40cvss 7.3epss 0.00
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper…
- risk 0.30cvss 5.7epss 0.00
InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload.