Description

EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.

INFO

Published Date :

2026-02-10T17:43:38.998Z

Last Modified :

2026-02-10T19:29:56.966Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25993 vulnerability.

Vendors Products
Evershop
  • Evershop
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25993.

URL Resource
http://github.com/evershopcommerce/evershop/commit/5c5bdf2c1ad5d16ae68e9e48b494563953b6d1cd cve-icon cve-icon
https://github.com/evershopcommerce/evershop/security/advisories/GHSA-3h84-9rhc-j2ch cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability