CVE-2025-65844 — HIGH (7.5)

Vulnerability Description

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Evershop	Evershop	2.0.1

Related Weaknesses (CWE)

CWE-434

References

https://github.com/evershopcommerce/evershop/issues/819ExploitIssue TrackingVendor Advisory

FAQ

What is CVE-2025-65844?

CVE-2025-65844 is a vulnerability with a CVSS score of 7.5 (HIGH). EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and...

How severe is CVE-2025-65844?

CVE-2025-65844 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-65844?

Check the references section above for vendor advisories and patch information. Affected products include: Evershop Evershop.