spreecommerce

Top products

The 13 most recently published vulnerabilities affecting spreecommerce.

• CVE-2026-25757Unauthenticated Spree Commerce users can view completed guest orders by Order ID5.3Feb 6, 2026
• CVE-2026-25758Spree allows unauthenticated users can access all guest addresses7.5Feb 6, 2026
• CVE-2026-22589Spree API has Unauthenticated IDOR - Guest Address7.5Jan 10, 2026
• CVE-2026-22588Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification6.5Jan 8, 2026
• CVE-2011-10026Spreecommerce < 0.50.x API RCE9.8Aug 20, 2025
• CVE-2011-10019Spreecommerce < 0.60.2 Search Parameter RCE9.8Aug 13, 2025
• CVE-2021-41275Authentication Bypass by CSRF Weakness9.3Nov 17, 2021
• CVE-2020-26223Authorization bypass in Spree7.7Nov 13, 2020
• CVE-2013-2506app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to ...4.0Mar 8, 2013
• CVE-2013-1656Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/c...4.3Mar 8, 2013
• CVE-2008-7310Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step ...5.0Apr 4, 2012
• CVE-2008-7311The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptograp...5.0Apr 4, 2012
• CVE-2010-3978Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensi...5.0Nov 17, 2010