Evershopcommerce Evershop vulnerabilities
2 known vulnerabilities affecting evershopcommerce/evershop.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2
Vulnerabilities
Page 1 of 1
CVE-2026-28213P2CRITICALCVSS 9.8fixed in 2.1.12026-02-26
CVE-2026-28213 [CRITICAL] CWE-200 CVE-2026-28213: EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in t
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
nvd
CVE-2026-25993P3CRITICALCVSS 9.8fixed in 2.1.12026-02-10
CVE-2026-25993 [CRITICAL] CWE-89 CVE-2026-25993: EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handlin
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds
path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event
nvd