VYPR

Loadedcommerce

by Loadedcommerce

CVEs (2)

  • CVE-2025-66572MedDec 4, 2025
    risk 0.45cvss epss 0.00

    Loaded Commerce 6.6 contains a client-side template injection vulnerability via the search parameter that allows unauthenticated attackers to execute arbitrary code in the victim's browser context when they visit a crafted URL.

  • CVE-2014-5140Jan 3, 2020
    risk 0.00cvss epss 0.03

    The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.