CVE-2026-25993

Name of the Vulnerable Software and Affected Versions EverShop versions prior to 2.1.1

Description EverShop is a TypeScript-first eCommerce platform susceptible to a second-order SQL injection. During category update and deletion event handling, the application incorporates values from the url key—obtained from the database—into SQL statements using string concatenation and the execute() function. If a malicious string is stored in the url key, subsequent event processing can modify and execute the SQL statement, resulting in a second-order SQL injection. The vulnerable code utilizes the / and request path derived from the url key.

Recommendations Versions prior to 2.1.1 should be updated to version 2.1.1 or later.