CVE-2026-25993
- Source
- https://cve.org/CVERecord?id=CVE-2026-25993
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25993.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25993
- Aliases
-
- GHSA-3h84-9rhc-j2ch
- Published
- 2026-02-10T17:43:38.998Z
- Modified
- 2026-03-13T04:11:19.510388Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys
- Details
-
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / requestpath values—derived from the urlkey stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-89" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25993.json" }- References
-
- http://github.com/evershopcommerce/evershop/commit/5c5bdf2c1ad5d16ae68e9e48b494563953b6d1cd
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25993.json
- https://github.com/evershopcommerce/evershop/security/advisories/GHSA-3h84-9rhc-j2ch
- https://nvd.nist.gov/vuln/detail/CVE-2026-25993