CVE-2025-65844

High CVSS: 7.5

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

Vendor

Evershop

Product

Evershop

CWE

CWE-434

Yayın Tarihi

2025-12-02 18:15:49

Güncelleme

2025-12-06 04:15:47

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-434 Evershop HIGH Evershop 2025

Referanslar

https://github.com/evershopcommerce/evershop/issues/819

Benzer Kayıtlar

Critical

CVE-2026-28213

EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password"…

Critical

CVE-2026-25993

EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application e…

High

CVE-2025-67419

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the appl…

Medium

CVE-2025-67427

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to…

Medium

CVE-2025-12919

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graph…