CVE-2026-25993 – CVE-2026-25993 is a second-order SQL injection ... (How to Fix)

Q: What is the severity of CVE-2026-25993?

CVE-2026-25993 has a CVSS score of 9.8 (CRITICAL). CVE-2026-25993 is a second-order SQL injection vulnerability in EverShop eCommerce platform that allows attackers to execute arbitrary SQL commands. Attackers can inject malicious SQL code into the url_key field, which gets executed later during category update/deletion events. All EverShop instances using vulnerable versions are affected.

📋 TL;DR

CVE-2026-25993 is a second-order SQL injection vulnerability in EverShop eCommerce platform that allows attackers to execute arbitrary SQL commands. Attackers can inject malicious SQL code into the url_key field, which gets executed later during category update/deletion events. All EverShop instances using vulnerable versions are affected.

💻 Affected Systems

Products:

EverShop

Versions: All versions before v2.1.1

Operating Systems: All platforms running EverShop

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when using category management features.

📦 What is this software?

Evershop by Evershop

View all CVEs affecting Evershop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, deletion, or remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information, order data, and administrative credentials stored in the database.

🟢

If Mitigated

Limited impact if database user has minimal privileges and input validation blocks malicious strings.

🌐 Internet-Facing: HIGH - EverShop is typically deployed as internet-facing eCommerce software accessible to attackers.

🏢 Internal Only: MEDIUM - Internal deployments still vulnerable to insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to modify url_key field (typically admin access) and trigger category update/deletion events.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.1

Vendor Advisory: https://github.com/evershopcommerce/evershop/security/advisories/GHSA-3h84-9rhc-j2ch

Restart Required: Yes

Instructions:

1. Backup database and application files. 2. Update EverShop to version 2.1.1 or later via package manager or manual update. 3. Restart the application server. 4. Verify the patch is applied.

🔧 Temporary Workarounds

Input Validation for url_key

all

Add server-side validation to reject SQL special characters in url_key field

Implement regex validation: /^[a-zA-Z0-9-_]+$/ for url_key

Database User Privilege Reduction

all

Limit database user permissions to SELECT, INSERT, UPDATE only

REVOKE DROP, CREATE, ALTER, EXECUTE FROM evershop_user;

🧯 If You Can't Patch

Disable category update/deletion functionality in admin interface
Implement WAF rules to block SQL injection patterns in POST requests to category endpoints

🔍 How to Verify

Check if Vulnerable:

Check package.json for EverShop version <2.1.1 or examine commit history for pre-patch code

Check Version:

cat package.json | grep version

Verify Fix Applied:

Verify version is >=2.1.1 and check that SQL queries use parameterized statements in category event handlers

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple category update attempts with special characters
Database queries with concatenated user input

Network Indicators:

POST requests to /admin/category/* endpoints with SQL keywords
Unusual database connection patterns from application server

SIEM Query:

source="app.log" AND ("SQL syntax" OR "You have an error in your SQL syntax") AND "/category/"

📊 Metadata

CVE ID: CVE-2026-25993

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 10, 2026

Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25993, you might also want to check these: