Description
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds
path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
Published: 2026-02-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Second‑Order SQL Injection leading to data compromise
Action: Apply Patch
AI Analysis

Impact

EverShop concatenates url_key values—derived from category URL keys—directly into SQL statements during category update and deletion event handling. This design flaw allows a second‑order SQL injection that can compromise data confidentiality and integrity by executing arbitrary SQL when malicious content is stored in url_key. The vulnerability carries an 9.3 CVSS score, indicating a high‑severity impact if exploited.

Affected Systems

The affected product is EverShop evershop. Versions prior to the 2.1.1 release are vulnerable; the fix is available in v2.1.1 and later releases.

Risk and Exploitability

The EPSS score is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting low exploitation probability in the wild. The likely attack vector requires an attacker to inject malicious characters into the url_key field, which typically necessitates privileged access to modify category data. If achieved, the attacker could achieve unauthorized data export or alteration.

Generated by OpenCVE AI on April 17, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch v2.1.1 or later to replace string concatenation with parameterized queries.
  • Limit write permissions on the url_key column to ensure only trusted administrative users can modify it.
  • Review the codebase for other instances of dynamic SQL construction and refactor them to use safe query practices.

Generated by OpenCVE AI on April 17, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:evershop:evershop:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Evershop
Evershop evershop
Vendors & Products Evershop
Evershop evershop

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
Title EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Evershop Evershop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T19:29:56.966Z

Reserved: 2026-02-09T17:41:55.858Z

Link: CVE-2026-25993

cve-icon Vulnrichment

Updated: 2026-02-10T19:29:49.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:38.957

Modified: 2026-02-23T18:03:12.130

Link: CVE-2026-25993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses