Nopcommerce
by Nopsolutions
Source repositories
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-65590 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | ||
| CVE-2025-65591 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | ||
| CVE-2025-65589 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | ||
| CVE-2025-65592 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages. | ||
| CVE-2025-65593 | 0.00 | — | 0.00 | Dec 16, 2025 | nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality. | ||
| CVE-2025-11699 | 0.00 | — | 0.00 | Dec 1, 2025 | nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability. |
- CVE-2025-65590Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area.
- CVE-2025-65591Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.
- CVE-2025-65589Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality.
- CVE-2025-65592Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages.
- CVE-2025-65593Dec 16, 2025risk 0.00cvss —epss 0.00
nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.
- CVE-2025-11699Dec 1, 2025risk 0.00cvss —epss 0.00
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.