Guchengwuyue: >> Yshopmall Security Vulnerabilities
A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Score
6.3
EPSS Score
0.0
Published
2026-02-08
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Score
6.3
EPSS Score
0.0
Published
2026-01-09
yshopmall <=v1.9.0 is vulnerable to SQL Injection in the image listing interface.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-03-04
yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files.
CVSS Score
9.8
EPSS Score
0.005
Published
2024-11-15