CVE-2026-25993 is a critical SQL Injection vulnerability identified in the EverShop eCommerce platform, specifically affecting versions prior to 2.1.1. EverShop is a TypeScript-first platform widely used for online retail solutions. The vulnerability stems from the way the application handles category update and deletion events. During these operations, the application takes the url_key value, which is stored in the database and derived from user-controllable input, and embeds it directly into SQL statements via string concatenation without proper sanitization or parameterization. This unsafe practice leads to a second-order SQL injection: a malicious payload stored in the url_key field is not immediately executed but triggers SQL injection when the event processing executes the constructed SQL statement. The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to data leakage, unauthorized data modification, or disruption of database integrity. The CVSS 4.0 score of 9.3 reflects the vulnerability's network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. Although no public exploits have been reported yet, the vulnerability is critical due to the ease of exploitation and the sensitive nature of eCommerce data. The vendor has addressed this issue in version 2.1.1 by properly sanitizing inputs and avoiding unsafe SQL concatenation. Organizations running affected versions should prioritize upgrading to mitigate the risk.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive eCommerce data, including customer information, transaction records, and product details. Exploitation could lead to unauthorized data disclosure, data tampering, or complete compromise of the backend database, potentially disrupting business operations and damaging customer trust. Given the critical CVSS score and the lack of required authentication, attackers can remotely exploit this vulnerability without user interaction, increasing the likelihood of automated attacks. The impact is particularly severe for online retailers and service providers relying on EverShop for their commerce infrastructure. Regulatory compliance risks also arise, as data breaches involving personal data could trigger GDPR violations and associated penalties. The disruption of eCommerce services could affect revenue streams and brand reputation across European markets.

European organizations using EverShop should immediately upgrade to version 2.1.1 or later, where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement input validation and sanitization controls to ensure that url_key and related fields do not contain malicious SQL code. Employing parameterized queries or prepared statements in all database interactions is critical to prevent SQL injection. Additionally, monitoring database logs and application behavior for unusual queries or errors related to category updates or deletions can help detect exploitation attempts. Restricting database permissions to the minimum necessary and isolating the database environment can limit the impact of a successful attack. Organizations should also review their incident response plans to address potential data breaches stemming from this vulnerability. Regular security assessments and code reviews focusing on input handling and SQL query construction are recommended to prevent similar issues.