VYPR
Vendor

Innocommerce

Products
1
CVEs
6
Across products
6
Status
Private

Products

1

Recent CVEs

6
  • CVE-2025-52921CriJun 23, 2025
    risk 0.64cvss 9.9epss 0.00

    In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the…

  • CVE-2025-52922HigJun 23, 2025
    risk 0.48cvss 7.4epss 0.00

    Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary…

  • CVE-2026-39250HigMay 19, 2026
    risk 0.47cvss 7.3epss 0.00

    An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.

  • CVE-2025-52920MedJun 23, 2025
    risk 0.42cvss 6.4epss 0.00

    Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their…

  • CVE-2026-7630HigMay 2, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper…

  • CVE-2024-57277MedJan 24, 2025
    risk 0.30cvss 5.7epss 0.00

    InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting (XSS) via SVG file upload.