← Back

Yshopmall

yshopmall

Vendor: Guchengwuyue • 4 CVEs

CVEs (4)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-2146
1Guchengwuyue
1Yshopmall
Apr 29, 2026
Feb 8, 2026
2.1 LOW· v4
8.8 HIGH· v3
6.5 MEDIUM· v2
A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation...Show more
A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.Show less
CVE-2025-15496
1Guchengwuyue
1Yshopmall
Apr 29, 2026
Jan 9, 2026
2.1 LOW· v4
9.8 CRITICAL· v3
6.5 MEDIUM· v2
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remot...Show more
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.Show less
CVE-2025-25426
1Guchengwuyue
1Yshopmall
Jun 12, 2025
Mar 4, 2025
N/A· v4
7.2 HIGH· v3
N/A· v2
yshopmall <=v1.9.0 is vulnerable to SQL Injection in the image listing interface.
CVE-2024-50648
1Guchengwuyue
1Yshopmall
Jun 17, 2025
Nov 15, 2024
N/A· v4
9.8 CRITICAL· v3
N/A· v2
yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files.