CVE-2025-56161

Name of the Vulnerable Software and Affected Versions YOSHOP 2.0

Description The software allows unauthorized disclosure of information through comment-list API endpoints within the Goods module. The Comment model loads the related User model without filtering specific fields. Due to the absence of $hidden or $visible attributes in the User.php file, sensitive data, including bcrypt password hashes, mobile numbers, pay money, and expend money, are exposed in JSON responses. The API endpoints vary depending on the deployment, such as /api/goods.pinglun/list, but all utilize the same vulnerable model logic.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.