Vulnerability Details CVE-2026-25993
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds
path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.1%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-25993
-
cpe:2.3:a:evershop:evershop:1.0.0
-
cpe:2.3:a:evershop:evershop:1.1.0
-
cpe:2.3:a:evershop:evershop:1.2.0
-
cpe:2.3:a:evershop:evershop:1.2.1
-
cpe:2.3:a:evershop:evershop:1.2.2
-
cpe:2.3:a:evershop:evershop:2.0.0
-
cpe:2.3:a:evershop:evershop:2.0.1
-
cpe:2.3:a:evershop:evershop:2.1.0