{"id":"CVE-2025-65844","details":"EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.","modified":"2026-04-10T05:34:09.620951Z","published":"2025-12-02T18:15:49.243Z","references":[{"type":"REPORT","url":"https://github.com/evershopcommerce/evershop/issues/819"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/evershopcommerce/evershop","events":[{"introduced":"0"},{"last_affected":"758e3ba0d260de2b34493ac998833b2f2a96450e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.0.1"}]}}],"versions":["1.0.0-rc.9","v1.0.0","v1.1.0","v1.2.0","v1.2.1","v1.2.2","v2.0.0","v2.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65844.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}