Vendor
Shopizer Ecommerce
Products
1
CVEs
9
Across products
9
Status
Private
Products
1- 9 CVEs
Recent CVEs
9| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-36767 | Cri | 0.65 | 10.0 | 0.00 | Apr 30, 2026 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | |
| CVE-2026-36763 | Med | 0.40 | 6.1 | 0.00 | Apr 30, 2026 | A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter. | |
| CVE-2026-36766 | Med | 0.35 | 5.4 | 0.00 | Apr 30, 2026 | Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions. | |
| CVE-2022-23063 | 0.00 | — | 0.00 | May 3, 2022 | In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | ||
| CVE-2022-23061 | 0.00 | — | 0.00 | May 1, 2022 | In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability. | ||
| CVE-2022-23060 | 0.00 | — | 0.00 | May 1, 2022 | A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab | ||
| CVE-2022-23059 | 0.00 | — | 0.00 | Mar 29, 2022 | A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code. | ||
| CVE-2020-11006 | 0.00 | — | 0.00 | May 8, 2020 | In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. This has been patched in version 2.11.0. | ||
| CVE-2020-11007 | 0.00 | — | 0.00 | Apr 16, 2020 | In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0. |