CVE-2025-67427

Medium CVSS: 6.5

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

Vendor

Evershop

Product

Evershop

CWE

CWE-918

Yayın Tarihi

2026-01-05 20:16:03

Güncelleme

2026-01-12 18:12:22

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-918 Evershop MEDIUM Evershop 2026

Referanslar

https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427 https://github.com/evershopcommerce/evershop

Benzer Kayıtlar

Critical

CVE-2026-28213

EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password"…

Critical

CVE-2026-25993

EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application e…

High

CVE-2025-67419

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the appl…

High

CVE-2025-65844

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/im…

Medium

CVE-2025-12919

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graph…