Nopcommerce
by Nopsolutions
Source repositories
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-19683 | Cri | 0.59 | 9.1 | 0.02 | Dec 9, 2019 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs. | ||
| CVE-2019-19685 | Hig | 0.57 | 8.8 | 0.01 | Dec 9, 2019 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions. | ||
| CVE-2019-19684 | Hig | 0.57 | 8.8 | 0.02 | Dec 9, 2019 | nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | ||
| CVE-2022-33077 | Hig | 0.49 | 7.5 | 0.01 | Oct 19, 2022 | An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint. | ||
| CVE-2022-26954 | Med | 0.40 | 6.1 | 0.01 | Oct 20, 2022 | Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync… | ||
| CVE-2022-27461 | Med | 0.40 | 6.1 | 0.01 | May 4, 2022 | In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link. | ||
| CVE-2022-28450 | Med | 0.35 | 5.4 | 0.01 | Apr 26, 2022 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser. | ||
| CVE-2019-11519 | Med | 0.32 | 4.9 | 0.01 | Apr 25, 2019 | Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. | ||
| CVE-2019-19682 | Med | 0.31 | 4.8 | 0.01 | Dec 9, 2019 | nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id]… | ||
| CVE-2025-65592 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the… | |||
| CVE-2025-65590 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | |||
| CVE-2025-65591 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | |||
| CVE-2025-65589 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | |||
| CVE-2025-65593 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality. | |||
| CVE-2025-11699 | 0.00 | — | 0.00 | Dec 1, 2025 | nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out,… | |||
| CVE-2021-42193 | 0.00 | — | 0.00 | Oct 3, 2025 | nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires. | |||
| CVE-2024-58248 | 0.00 | — | 0.00 | Apr 16, 2025 | nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards. | |||
| CVE-2024-38963 | 0.00 | — | 0.00 | Jul 9, 2024 | Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review. | |||
| CVE-2022-28451 | Hig | 0.00 | 7.5 | 0.01 | May 2, 2022 | nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. |
- risk 0.59cvss 9.1epss 0.02
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs.
- risk 0.57cvss 8.8epss 0.01
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
- risk 0.57cvss 8.8epss 0.02
nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin.
- risk 0.49cvss 7.5epss 0.01
An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.
- risk 0.40cvss 6.1epss 0.01
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync…
- risk 0.40cvss 6.1epss 0.01
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
- risk 0.35cvss 5.4epss 0.01
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
- risk 0.32cvss 4.9epss 0.01
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.
- risk 0.31cvss 4.8epss 0.01
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id]…
- CVE-2025-65592Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the…
- CVE-2025-65590Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area.
- CVE-2025-65591Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.
- CVE-2025-65589Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality.
- CVE-2025-65593Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.
- CVE-2025-11699Dec 1, 2025risk 0.00cvss —epss 0.00
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out,…
- CVE-2021-42193Oct 3, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.
- CVE-2024-58248Apr 16, 2025risk 0.00cvss —epss 0.00
nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.
- CVE-2024-38963Jul 9, 2024risk 0.00cvss —epss 0.00
Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review.
- risk 0.00cvss 7.5epss 0.01
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.