CVE Tools

nopcommerce

Web & CMS Pluginscommercial

13

Cumulative CVEs

3

Monthly snapshots

#100

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting nopcommerce.

CVE-2025-65593nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.8.8Dec 16, 2025
CVE-2025-65592nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored...6.1Dec 16, 2025
CVE-2025-65591nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.5.4Dec 16, 2025
CVE-2025-65590nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area.5.4Dec 16, 2025
CVE-2025-65589nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality.6.1Dec 16, 2025
CVE-2025-11699CVE-2025-116997.1Dec 1, 2025
CVE-2021-42193nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.6.1Oct 3, 2025
CVE-2024-58248nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.3.5Apr 16, 2025
CVE-2024-38963Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review.6.1Jul 9, 2024
CVE-2022-26954Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl ...6.1Oct 20, 2022
CVE-2022-33077An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.7.5Oct 19, 2022
CVE-2022-27461In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.6.1May 4, 2022
CVE-2022-28451nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.7.5May 1, 2022
CVE-2022-28450nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at cli...5.4Apr 26, 2022
CVE-2022-28449nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system.6.1Apr 26, 2022