nopSolutions/nopCommerce

GitHub

github.com

www.nopcommerce.com

Releases159

Frequency3 weeks 2 days

Last Release 3 months ago

Stars10.1K

ASP.NET Core eCommerce software. nopCommerce is a free and open-source shopping cart.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-11699 ↗	Dec 1, 2025Monday, 1 December 2025, 16:15	7.1 HIGH	—
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
CVE-2024-58248 ↗	Apr 16, 2025Wednesday, 16 April 2025, 14:15	3.5 LOW	—
nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.
CVE-2024-38963 ↗	Jul 9, 2024Tuesday, 9 July 2024, 22:15	6.1 MEDIUM	—
Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProductReview.ReviewText" parameter(s) (Reviews) when creating a new review.
CVE-2022-26954 ↗	Oct 20, 2022Thursday, 20 October 2022, 11:15	6.1 MEDIUM	—
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.
CVE-2022-28451 ↗	May 2, 2022Monday, 2 May 2022, 00:15	7.5 HIGH	5 MEDIUM
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.
CVE-2022-28449 ↗	Apr 26, 2022Tuesday, 26 April 2022, 21:15	6.1 MEDIUM	4.3 MEDIUM
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system.
CVE-2022-28450 ↗	Apr 26, 2022Tuesday, 26 April 2022, 21:15	5.4 MEDIUM	3.5 LOW
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
CVE-2022-28448 ↗	Apr 26, 2022Tuesday, 26 April 2022, 20:15	5.4 MEDIUM	3.5 LOW
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.
CVE-2021-26916 ↗	Feb 8, 2021Monday, 8 February 2021, 22:15	6.1 MEDIUM	4.3 MEDIUM
In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter.
CVE-2019-11519 ↗	Apr 25, 2019Thursday, 25 April 2019, 13:29	—	4 MEDIUM
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.