CVE ID : CVE-2026-25993
Published : Feb. 10, 2026, 6:16 p.m. | 1 hour, 43 minutes ago
Description : EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds
path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
Published : Feb. 10, 2026, 6:16 p.m. | 1 hour, 43 minutes ago
Description : EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds
path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…