CVE-2026-33129

H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

EverShop Security Breach

EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop versions prior to 1.0.0-rc.8 that stems from a lack of authentication. An attacker exploited the vulnerability to obtain sensitive information through incorrect authorization in a GraphQ...

EverShop Security Breach

EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop versions prior to 1.0.0-rc.8, which stems from the HMAC secret used to generate tokens being hardcoded as "secret"...

CVE-2023-46496

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint...

CVE-2023-46495

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter...

CVE-2023-46498

An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file...

CVE-2023-46498

An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file...

PT-2023-30056 · Npm · Evershop

Name of the Vulnerable Software and Affected Versions: EverShop NPM versions prior to 1.0.0-rc.8 Description: The issue allows a remote attacker to obtain sensitive information via a crafted request to the "DELETE" function in the "api/files" endpoint. Recommendations: For versions prior to...

PT-2023-30058 · Npm · Evershop

Name of the Vulnerable Software and Affected Versions: EverShop NPM versions prior to 1.0.0-rc.8 Description: An issue in EverShop NPM allows a remote attacker to obtain sensitive information and execute arbitrary code via the "/deleteCustomer/route.json" API endpoint. The deleteCustomer route is...

EverShop Security Breach

EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop versions prior to 1.0.0-rc.8, which stems from the presence of a directory traversal vulnerability that allows remote attackers to obtain sensitive information via a crafted request...

EverShop Security Breach

EverShop is EverShop open source a NodeJS e-commerce platform. A security vulnerability exists in versions prior to EverShop v.1.0.0-rc.8. A remote attacker could exploit the vulnerability to obtain sensitive information via a specially crafted request for the sortBy parameter...

CVE-2023-46495

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter...

CVE-2009-5051

Hastymail2 pre-RC8 is vulnerable: in HTTPS sessions the session cookie is not marked Secure, enabling potential interception of the cookie in transit. The OpenVAS entries describe a session-cookie security bypass; no concrete exploit details or patch/version fixes are provided in the supplied doc...