Security

SECURITY.md

Security Policy

Supported Versions

We provide security updates only for supported versions of UnoPim.

Version	Status	Security Fixes
0.2.x	❌ Deprecated	❌
0.3.x	❌ Deprecated	❌
1.0.x	✅ Supported	✅
2.0.x	✅ Supported	✅

⚠️ Versions 0.2.x and 0.3.x are deprecated and no longer receive security updates.
Please upgrade to a supported version.

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

Do not open a public issue.
Email: support@webkul.com

Include:

Description of the issue
Steps to reproduce
Impact assessment
Affected version(s)
Any suggested fixes (optional)

We will acknowledge receipt within 72 hours.

Security Process

For supported versions (1.0.x and 2.0.x), we follow this process:

Acknowledgment (within 72 hours)
Investigation & severity assessment
Fix development
Patch release
Disclosure (with credit, if desired)

Preferred Language

Please report vulnerabilities in English.

Thank You

We appreciate responsible disclosure and your help in keeping UnoPim secure.

Security Vulnerability Disclosure: Broken Access Control
GHSA-8p2f-fx4q-75cx published Aug 22, 2025 by devansh-pal-webkul

High
CSV Injection on Quick Export feature
GHSA-74rg-6f92-g6wx published Aug 22, 2025 by devansh-pal-webkul

High
CSRF on Product edit feature and creation of other types
GHSA-287x-6r2h-f9mw published Aug 21, 2025 by navneetkumar-webkul

Moderate
RCE through Arbitrary File upload
GHSA-v22v-xwh7-2vrm published Aug 21, 2025 by navneetkumar-webkul

Critical
Stored XSS via SVG MIME/Sanitizer Bypass
GHSA-xr97-25v7-hc2q published Aug 21, 2025 by navneetkumar-webkul

High
Stored XSS : Cookie hijacking through Create User function
GHSA-cgr4-c233-h733 published Nov 13, 2024 by navneetkumar-pim-webkul

Low

Learn more about advisories related to unopim/unopim in the GitHub Advisory Database