cvedb.io
CVE-2025-65844
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-12-02T18:15:49.243 · Last modified 2026-06-17T09:56:01.053

Summary

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

Affected products

evershop — evershop

Does this affect you?

Add your gear to cvedb and we'll alert you only when evershop ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.