CVE-2025-67427

Name of the Vulnerable Software and Affected Versions evershop versions prior to 2.1.1

Description A Blind Server-Side Request Forgery (SSRF) exists in evershop versions prior to 2.1.1. An unauthenticated attacker can force the server to initiate an HTTP request via the ''/images'' API endpoint. This is due to insufficient validation of the src query parameter, allowing arbitrary HTTP or HTTPS URIs to be used, potentially leading to requests against internal and external networks.

Recommendations Update evershop to version 2.1.1 or later.