Vulnerability Details CVE-2025-56161
YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.7%
CVSS Severity
CVSS v3 Score 7.5
References