Evershopcommerce
Products
1- 13 CVEs
Recent CVEs
13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12919 | Low | 0.24 | 3.7 | 0.00 | Nov 9, 2025 | A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers.… | ||
| CVE-2026-28213 | 0.00 | — | 0.00 | Feb 26, 2026 | EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated… | |||
| CVE-2026-25993 | 0.00 | — | 0.00 | Feb 10, 2026 | EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute().… | |||
| CVE-2025-67427 | 0.00 | — | 0.00 | Jan 5, 2026 | A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter,… | |||
| CVE-2025-67419 | 0.00 | — | 0.00 | Jan 5, 2026 | A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern… | |||
| CVE-2025-65844 | 0.00 | — | 0.00 | Dec 2, 2025 | EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused… | |||
| CVE-2023-46494 | 0.00 | — | 0.00 | Dec 8, 2023 | Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx. | |||
| CVE-2023-46497 | 0.00 | — | 0.01 | Dec 8, 2023 | Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint. | |||
| CVE-2023-46499 | 0.00 | — | 0.00 | Dec 8, 2023 | Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel. | |||
| CVE-2023-46493 | 0.00 | — | 0.01 | Dec 8, 2023 | Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js. | |||
| CVE-2023-46498 | 0.00 | — | 0.01 | Dec 8, 2023 | An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file. | |||
| CVE-2023-46495 | 0.00 | — | 0.00 | Dec 8, 2023 | Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter. | |||
| CVE-2023-46496 | 0.00 | — | 0.01 | Dec 8, 2023 | Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint. |
- risk 0.24cvss 3.7epss 0.00
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers.…
- CVE-2026-28213Feb 26, 2026risk 0.00cvss —epss 0.00
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated…
- CVE-2026-25993Feb 10, 2026risk 0.00cvss —epss 0.00
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute().…
- CVE-2025-67427Jan 5, 2026risk 0.00cvss —epss 0.00
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter,…
- CVE-2025-67419Jan 5, 2026risk 0.00cvss —epss 0.00
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern…
- CVE-2025-65844Dec 2, 2025risk 0.00cvss —epss 0.00
EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused…
- CVE-2023-46494Dec 8, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
- CVE-2023-46497Dec 8, 2023risk 0.00cvss —epss 0.01
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.
- CVE-2023-46499Dec 8, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.
- CVE-2023-46493Dec 8, 2023risk 0.00cvss —epss 0.01
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.
- CVE-2023-46498Dec 8, 2023risk 0.00cvss —epss 0.01
An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.
- CVE-2023-46495Dec 8, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
- CVE-2023-46496Dec 8, 2023risk 0.00cvss —epss 0.01
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.