{"id":"CVE-2020-26008","details":"The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file.","modified":"2025-11-14T10:58:11.951382Z","published":"2022-03-20T22:15:07.730Z","references":[{"type":"EVIDENCE","url":"https://github.com/gongfuxiang/shopxo/issues/47"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gongfuxiang/shopxo","events":[{"introduced":"0"},{"last_affected":"3229419670ea9251099159deb40abd68d944e48d"}]}],"versions":["v1.1.0","v1.2.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26008.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}