VYPR

Evershop

by Evershopcommerce

Source repositories

CVEs (13)

  • CVE-2025-12919LowNov 9, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers.…

  • CVE-2026-28213Feb 26, 2026
    risk 0.00cvss epss 0.00

    EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated…

  • CVE-2026-25993Feb 10, 2026
    risk 0.00cvss epss 0.00

    EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute().…

  • CVE-2025-67427Jan 5, 2026
    risk 0.00cvss epss 0.00

    A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter,…

  • CVE-2025-67419Jan 5, 2026
    risk 0.00cvss epss 0.00

    A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern…

  • CVE-2025-65844Dec 2, 2025
    risk 0.00cvss epss 0.00

    EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused…

  • CVE-2023-46494Dec 8, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.

  • CVE-2023-46497Dec 8, 2023
    risk 0.00cvss epss 0.01

    Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.

  • CVE-2023-46499Dec 8, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.

  • CVE-2023-46493Dec 8, 2023
    risk 0.00cvss epss 0.01

    Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.

  • CVE-2023-46498Dec 8, 2023
    risk 0.00cvss epss 0.01

    An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.

  • CVE-2023-46495Dec 8, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.

  • CVE-2023-46496Dec 8, 2023
    risk 0.00cvss epss 0.01

    Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.