Newbee Ltd
Products
2- 14 CVEs
- 2 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-15360 | Med | 0.31 | 4.7 | 0.00 | Dec 30, 2025 | A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted… | ||
| CVE-2026-2658 | Med | 0.28 | 4.3 | 0.00 | Feb 18, 2026 | A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is… | ||
| CVE-2025-10422 | Med | 0.28 | 4.3 | 0.00 | Sep 15, 2025 | A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization.… | ||
| CVE-2025-12854 | Low | 0.24 | 3.7 | 0.00 | Nov 7, 2025 | A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to initiate the attack remotely. The… | ||
| CVE-2025-10423 | Low | 0.24 | 3.7 | 0.00 | Sep 15, 2025 | A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is… | ||
| CVE-2026-26219 | 0.00 | — | 0.00 | Feb 12, 2026 | newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other… | |||
| CVE-2026-26218 | 0.00 | — | 0.00 | Feb 12, 2026 | newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default… | |||
| CVE-2025-4259 | 0.00 | — | 0.00 | May 5, 2025 | A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack… | |||
| CVE-2025-1114 | 0.00 | — | 0.00 | Feb 7, 2025 | A vulnerability classified as problematic has been found in newbee-mall 1.0. Affected is the function save of the file /admin/categories/save of the component Add Category Page. The manipulation of the argument categoryName leads to cross site scripting. It is possible to launch… | |||
| CVE-2024-48178 | 0.00 | — | 0.00 | Oct 28, 2024 | newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter. | |||
| CVE-2023-30216 | 0.00 | — | 0.00 | May 4, 2023 | Insecure permissions in the updateUserInfo function of newbee-mall before commit 1f2c2dfy allows attackers to obtain user account information. | |||
| CVE-2022-27477 | 0.00 | — | 0.01 | Apr 10, 2022 | Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit. | |||
| CVE-2022-27476 | 0.00 | — | 0.01 | Apr 10, 2022 | A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter. | |||
| CVE-2020-23447 | 0.00 | — | 0.01 | Jan 26, 2021 | newbee-mall 1.0 is affected by cross-site scripting in shop-cart/settle. Users only need to write xss payload in their address information when buying goods, which is triggered when viewing the "View Recipient Information" of this order in "Order Management Office". | |||
| CVE-2019-19113 | 0.00 | — | 0.02 | Nov 18, 2019 | main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection. |
- risk 0.31cvss 4.7epss 0.00
A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted…
- risk 0.28cvss 4.3epss 0.00
A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is…
- risk 0.28cvss 4.3epss 0.00
A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization.…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to initiate the attack remotely. The…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is…
- CVE-2026-26219Feb 12, 2026risk 0.00cvss —epss 0.00
newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other…
- CVE-2026-26218Feb 12, 2026risk 0.00cvss —epss 0.00
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default…
- CVE-2025-4259May 5, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack…
- CVE-2025-1114Feb 7, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as problematic has been found in newbee-mall 1.0. Affected is the function save of the file /admin/categories/save of the component Add Category Page. The manipulation of the argument categoryName leads to cross site scripting. It is possible to launch…
- CVE-2024-48178Oct 28, 2024risk 0.00cvss —epss 0.00
newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter.
- CVE-2023-30216May 4, 2023risk 0.00cvss —epss 0.00
Insecure permissions in the updateUserInfo function of newbee-mall before commit 1f2c2dfy allows attackers to obtain user account information.
- CVE-2022-27477Apr 10, 2022risk 0.00cvss —epss 0.01
Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.
- CVE-2022-27476Apr 10, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.
- CVE-2020-23447Jan 26, 2021risk 0.00cvss —epss 0.01
newbee-mall 1.0 is affected by cross-site scripting in shop-cart/settle. Users only need to write xss payload in their address information when buying goods, which is triggered when viewing the "View Recipient Information" of this order in "Order Management Office".
- CVE-2019-19113Nov 18, 2019risk 0.00cvss —epss 0.02
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.