Aggregates CVE and security vulnerability intelligence across all nopcommerce-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf, vendor risk open redirect, and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-65593 | nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality. | [email protected] | 8.8 | 0.02% | 2025-12-16 | 2025-12-19 |
| CVE-2025-65592 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages. | [email protected] | 6.1 | 0.02% | 2025-12-16 | 2025-12-19 |
| CVE-2025-65591 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | [email protected] | 5.4 | 0.02% | 2025-12-16 | 2025-12-19 |
| CVE-2025-65590 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | [email protected] | 5.4 | 0.02% | 2025-12-16 | 2025-12-19 |
| CVE-2025-65589 | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | [email protected] | 6.1 | 0.02% | 2025-12-16 | 2025-12-19 |
| CVE-2025-11699 | nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability. | [email protected] | 7.1 | 0.03% | 2025-12-01 | 2025-12-19 |
| CVE-2021-42193 | nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires. | [email protected] | 6.1 | 0.03% | 2025-10-03 | 2025-12-19 |
| CVE-2024-58248 | nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards. | [email protected] | 3.5 | 0.29% | 2025-04-16 | 2025-12-19 |
| CVE-2024-38963 | Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review. | [email protected] | 6.1 | 0.84% | 2024-07-09 | 2025-12-31 |
| CVE-2022-26954 | Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class. | [email protected] | 6.1 | 0.28% | 2022-10-20 | 2025-05-08 |
| CVE-2022-33077 | An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint. | [email protected] | 7.5 | 0.20% | 2022-10-19 | 2025-05-09 |
| CVE-2022-27461 | In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link. | [email protected] | 6.1 | 0.20% | 2022-05-04 | 2024-11-21 |
| CVE-2022-28451 | nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. | [email protected] | 7.5 | 0.65% | 2022-05-02 | 2024-11-21 |
| CVE-2022-28450 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser. | [email protected] | 5.4 | 0.19% | 2022-04-26 | 2024-11-21 |
| CVE-2022-28449 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system. | [email protected] | 6.1 | 0.23% | 2022-04-26 | 2024-11-21 |
| CVE-2022-28448 | nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. | [email protected] | 5.4 | 0.25% | 2022-04-26 | 2024-11-21 |
| CVE-2021-26916 | In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter. | [email protected] | 6.1 | 0.19% | 2021-02-08 | 2024-11-21 |
| CVE-2020-29475 | nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. | [email protected] | 4.8 | 0.49% | 2020-12-29 | 2024-11-21 |
| CVE-2019-19685 | RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions. | [email protected] | 8.8 | 0.14% | 2019-12-09 | 2024-11-21 |
| CVE-2019-19684 | nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin. | [email protected] | 8.8 | 0.39% | 2019-12-09 | 2024-11-21 |