EXECUTIVE SUMMARY:
CVE‑2026‑25993 is a critical security flaw affecting EverShop, a TypeScript‑driven eCommerce platform used to power online stores. The vulnerability is classified as a second‑order SQL injection, meaning malicious input can be stored and later executed within the application’s database context. It has been assigned a CVSS severity score of 9.3 (Critical), reflecting the high risk of exploitation and potential impact on confidentiality and integrity. This flaw arises from unsafe handling of the url_key field, where attacker‑controlled strings can be concatenated into SQL statements. Through this injection point, attackers may manipulate backend database queries during category update or deletion processing. Successful exploitation could allow unauthorized data access or modification, potentially exposing sensitive customer and store information. The issue specifically affects versions < 2.1.1 of EverShop.
RECOMMENDATION:
We strongly recommend you update EverShop to version 2.1.1 or higher.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/cve-2026-25993-critical-evershop-sql-injection-cvss-9-3-exposes-stores/