CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

CVE-2026-22588

Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...

PT-2026-2214

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Authenticated Insecure Direct Object...

EUVD-2022-4406

Malicious code in bioql PyPI...