The Nguyen

1 exploit Active since Feb 2026
CVE-2026-25993 WRITEUP CRITICAL WRITEUP
evershop < 2.1.0 - SQL Injection via Category URL Key Processing
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
CVSS 9.8