65 matches found
Vendure Core - SQL Injection
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or inp...
Vendure - Arbitrary File Read
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...
MAL-2026-3458 Malicious code in @tallyui/connector-vendure (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0283da4a59287c5418e3485a9a642cfbb9cc387f5e1ab4c120af92199daa0970 The package @tallyui/connector-vendure was found to contain malicious code. Source: ghsa-malware...
Malicious code in @tallyui/connector-vendure (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0283da4a59287c5418e3485a9a642cfbb9cc387f5e1ab4c120af92199daa0970 The package @tallyui/connector-vendure was found to contain malicious code. Source: ghsa-malware...
CVE-2026-40887
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
CVE-2026-40887
Vendure Core SQL Injection (CVE-2026-40887) affects @vendure/core via Shop API in ProductService.findOneBySlug where languageCode is interpolated into a raw SQL CASE expression without parameterization. Unauthenticated attackers can supply languageCode from the HTTP query string to inject arbitra...
CVE-2026-40887 @vendure/core has a SQL Injection vulnerability
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
CVE-2026-40887 @vendure/core has a SQL Injection vulnerability
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
Vendure SQL注入漏洞
Vendure is an open-source e-commerce framework developed by Vendure. Versions of Vendure from 1.7.4 to 2.3.4, as well as versions before 3.5.7 and 3.6.2, have a SQL injection vulnerability. This vulnerability arises from the fact that user-controlled query string parameters in the Shop API are...
SQL Injection
Overview @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to SQL Injection via the ProductService.findOneBySlug function in Admin and Vendure Shop API. An attacker can execute arbitrary SQL commands on the database by supplying a crafted...
@semic/testing (=2.2.11), @vendure/dashboard (>=3.2.2 <=3.4.4) potentially affected by CVE-2026-40887 via @vendure/core (>=3.0.0 <=3.4.4)
@vendure/core NPM version =3.0.0, =3.2.2, =3.4.4 Source cves: CVE-2026-40887 Source advisory: SNYK:JS-VENDURECORE-16068909...
@grupo-loja/vendure-banner-plugin (=1.0.0), @grupo-loja/vendure-conect-envios-plugin (>=1.0.0 <=1.0.1) +54 more potentially affected by CVE-2026-40887 via @vendure/core (>=1.9.5 <=2.2.7)
@vendure/core NPM version =1.9.5, =1.0.0, =0.0.1, =1.0.3, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.2.4 and more Source cves: CVE-2026-40887 Source advisory: OSV:GHSA-9PP3-53P2-WW9V...
@vendure/core has a SQL Injection vulnerability
Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affec...
@semic/testing (=2.2.11), @vendure/dashboard (>=3.2.2 <=3.4.4) potentially affected by CVE-2026-40887 via @vendure/core (>=3.0.0 <=3.4.4)
@vendure/core NPM version =3.0.0, =3.2.2, =3.4.4 Source cves: CVE-2026-40887 Source advisory: OSV:GHSA-9PP3-53P2-WW9V...
@grupo-loja/vendure-banner-plugin (=1.0.0), @grupo-loja/vendure-conect-envios-plugin (>=1.0.0 <=1.0.1) +54 more potentially affected by CVE-2026-40887 via @vendure/core (>=1.9.5 <=2.2.7)
@vendure/core NPM version =1.9.5, =1.0.0, =0.0.1, =1.0.3, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.2.4 and more Source cves: CVE-2026-40887 Source advisory: SNYK:JS-VENDURECORE-16068909...
GHSA-9PP3-53P2-WW9V @vendure/core has a SQL Injection vulnerability
Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affec...
PT-2026-33235
Name of the Vulnerable Software and Affected Versions @vendure/core versions prior to 2.3.4 @vendure/core versions 3.0.0 through 3.5.6 @vendure/core versions 3.6.0 through 3.6.1 Description An unauthenticated SQL injection exists in the Shop API and an authenticated SQL injection exists in the...
CVE-2026-25050
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. In packages/core/src/config/auth/native-authentication-strategy.t...
@glarus-labs/vendure-social-auth (>=0.0.1 <=0.1.1), @grupo-loja/vendure-banner-plugin (=1.0.0) +96 more potentially affected by CVE-2026-25050 via @vendure/core (>=0.11.1 <=3.4.4)
@vendure/core NPM version =0.11.1, =0.0.1, =1.0.0, =1.0.4, =0.0.1, =1.0.3, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.2.3 and more Source cves: CVE-2026-25050 Source advisory: OSV:GHSA-6F65-4FV2-WWCH...
GHSA-6F65-4FV2-WWCH Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Summary The NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. Details In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is no...