SQL Injection

Overview @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to SQL Injection via the category value used for update and delete operations. It is input to the execute...

grocery_app (=1.0.0) potentially affected by CVE-2025-67419 via @evershop/evershop (=2.1.2)

@evershop/evershop NPM version =2.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on @evershop/evershop and may be impacted: - groceryapp =1.0.0 Source cves: CVE-2025-67419 Source advisory: SNYK:JS-EVERSHOPEVERSHOP-14872349...

Server-side Request Forgery (SSRF)

Overview @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the GET /images API endpoint. An attacker can cause the server to...

Excessive Platform Resource Consumption within a Loop

Overview @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the GET /images API endpoint when processing SVG...

Resource Injection

Overview @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Resource Injection via the use of getOrdersBaseQuery in Order.resolvers.js. An attacker can access...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

CVE-2023-46942

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints...

evershop-app (=0.1.0) potentially affected by CVE-2023-46498 via @evershop/evershop (=1.0.0-rc.5)

@evershop/evershop NPM version =1.0.0-rc.5 is affected by a known vulnerability. The following packages have a transitive dependency on @evershop/evershop and may be impacted: - evershop-app =0.1.0 Source cves: CVE-2023-46498 Source advisory: OSV:GHSA-5MMR-9QX3-3PF9...

evershop-app (=0.1.0) potentially affected by CVE-2023-46496 via @evershop/evershop (=1.0.0-rc.5)

@evershop/evershop NPM version =1.0.0-rc.5 is affected by a known vulnerability. The following packages have a transitive dependency on @evershop/evershop and may be impacted: - evershop-app =0.1.0 Source cves: CVE-2023-46496 Source advisory: OSV:GHSA-RWF3-W4JQ-F4CM...

evershop-app (=0.1.0) potentially affected by CVE-2023-46493 via @evershop/evershop (=1.0.0-rc.5)

@evershop/evershop NPM version =1.0.0-rc.5 is affected by a known vulnerability. The following packages have a transitive dependency on @evershop/evershop and may be impacted: - evershop-app =0.1.0 Source cves: CVE-2023-46493 Source advisory: OSV:GHSA-4WRM-QMQ2-5FJX...

CVE-2023-46493

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js...

PT-2023-30058 · Npm · Evershop

Name of the Vulnerable Software and Affected Versions: EverShop NPM versions prior to 1.0.0-rc.8 Description: An issue in EverShop NPM allows a remote attacker to obtain sensitive information and execute arbitrary code via the "/deleteCustomer/route.json" API endpoint. The deleteCustomer route is...