VYPR
Vendor

Nopsolutions

Products
1
CVEs
18
Across products
18
Status
Private

Products

1

Recent CVEs

18
  • CVE-2019-19683CriDec 9, 2019
    risk 0.59cvss 9.1epss 0.02

    RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs.

  • CVE-2019-19685HigDec 9, 2019
    risk 0.57cvss 8.8epss 0.01

    RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.

  • CVE-2019-19684HigDec 9, 2019
    risk 0.57cvss 8.8epss 0.02

    nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin.

  • CVE-2022-26954MedOct 20, 2022
    risk 0.40cvss 6.1epss 0.01

    Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync…

  • CVE-2022-27461MedMay 4, 2022
    risk 0.40cvss 6.1epss 0.01

    In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.

  • CVE-2022-28450MedApr 26, 2022
    risk 0.35cvss 5.4epss 0.01

    nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.

  • CVE-2019-11519MedApr 25, 2019
    risk 0.32cvss 4.9epss 0.01

    Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.

  • CVE-2019-19682MedDec 9, 2019
    risk 0.31cvss 4.8epss 0.01

    nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id]…

  • CVE-2025-65592Dec 16, 2025
    risk 0.00cvss epss 0.00

    nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the…

  • CVE-2025-65591Dec 16, 2025
    risk 0.00cvss epss 0.00

    nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.

  • CVE-2025-65590Dec 16, 2025
    risk 0.00cvss epss 0.00

    nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area.

  • CVE-2025-65589Dec 16, 2025
    risk 0.00cvss epss 0.00

    nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality.

  • CVE-2025-65593Dec 16, 2025
    risk 0.00cvss epss 0.00

    nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.

  • CVE-2025-11699Dec 1, 2025
    risk 0.00cvss epss 0.00

    nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out,…

  • CVE-2021-42193Oct 3, 2025
    risk 0.00cvss epss 0.00

    nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.

  • CVE-2024-58248Apr 16, 2025
    risk 0.00cvss epss 0.00

    nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.

  • CVE-2024-38963Jul 9, 2024
    risk 0.00cvss epss 0.00

    Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review.

  • CVE-2022-28451HigMay 2, 2022
    risk 0.00cvss 7.5epss 0.01

    nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.