CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53623 – Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class
https://notcve.org/view.php?id=CVE-2025-53623
14 Jul 2025 — The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the... • https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30999 – WordPress WP Shopify <= 1.5.3 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-30999
05 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fahad Mahmood WP Shopify allows PHP Local File Inclusion. This issue affects WP Shopify: from n/a through 1.5.3. The WP Shopify plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the exe... • https://patchstack.com/database/wordpress/plugin/wp-shopify/vulnerability/wordpress-wp-shopify-1-5-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48069 – ejson2env has insufficient input sanitization
https://notcve.org/view.php?id=CVE-2025-48069
21 May 2025 — ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If th... • https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31795 – WordPress Shopify to WooCommerce Migration plugin <= 1.3.0 - Settings Change vulnerability
https://notcve.org/view.php?id=CVE-2025-31795
02 Apr 2025 — Missing Authorization vulnerability in Plugin Devs Shopify to WooCommerce Migration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shopify to WooCommerce Migration: from n/a through 1.3.0. The SWM – Shopify to WooCommerce Migration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to update plugin's settings. • https://patchstack.com/database/wordpress/plugin/migrate-shopify-to-woocommerce/vulnerability/wordpress-shopify-to-woocommerce-migration-plugin-1-3-0-settings-change-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30221 – Pitchfork HTTP Request/Response Splitting vulnerability
https://notcve.org/view.php?id=CVE-2025-30221
27 Mar 2025 — Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available. • https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56031 – WordPress Smart Shopify Product plugin <= 1.0.2 - Arbitrary Content Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-56031
17 Dec 2024 — Missing Authorization vulnerability in Yulio Aleman Jimenez Smart Shopify Product allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Shopify Product: from n/a through 1.0.2. The Smart Shopify Product plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on a function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitra... • https://patchstack.com/database/wordpress/plugin/smart-shopify-product/vulnerability/wordpress-smart-shopify-product-plugin-1-0-2-arbitrary-content-deletion-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45036 – Improper Access Control Vulnerability When Accessing a Maliciously Crafted Tophat Link
https://notcve.org/view.php?id=CVE-2024-45036
26 Aug 2024 — Tophat is a mobile applications testing harness. An Improper Access Control vulnerability can expose the `TOPHAT_APP_TOKEN` token stored in `~/.tophatrc` through use of a malicious Tophat URL controlled by the attacker. The vulnerability allows Tophat to send this token to the attacker's server without any checks to ensure that the server is trusted. This token can then be used to access internal build artifacts, for mobile applications, not intended to be public. The issue has been patched as of version 1.... • https://github.com/Shopify/tophat/pull/10 • CWE-287: Improper Authentication •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29230 – Potential cross-site scripting (XSS) vulnerability in Hydrogen
https://notcve.org/view.php?id=CVE-2022-29230
18 May 2022 — Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. • https://github.com/Shopify/hydrogen/pull/1272 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-8176
https://notcve.org/view.php?id=CVE-2020-8176
02 Jul 2020 — A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint. Se presenta una vulnerabilidad de tipo cross-site scripting en koa-shopify-auth versiones v3.1.61 hasta v3.1.62, que permite a un atacante inyectar cargas útiles JS en el parámetro "shop" en el endpoint "/shopify/auth/enable_cookies" • https://github.com/Shopify/quilt/pull/1455 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •