11 matches found
Vendure Core - SQL Injection
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or inp...
CVE-2026-40887
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
CVE-2026-40887
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
CVE-2026-40887 @vendure/core has a SQL Injection vulnerability
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
CVE-2026-40887 @vendure/core has a SQL Injection vulnerability
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...
Vendure SQL注入漏洞
Vendure is an open-source e-commerce framework developed by Vendure. Versions of Vendure from 1.7.4 to 2.3.4, as well as versions before 3.5.7 and 3.6.2, have a SQL injection vulnerability. This vulnerability arises from the fact that user-controlled query string parameters in the Shop API are...
@vendure/core has a SQL Injection vulnerability
Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affec...
PT-2026-33235
Name of the Vulnerable Software and Affected Versions @vendure/core versions prior to 2.3.4 @vendure/core versions 3.0.0 through 3.5.6 @vendure/core versions 3.6.0 through 3.6.1 Description An unauthenticated SQL injection exists in the Shop API and an authenticated SQL injection exists in the...
EUVD-2025-201807
Malicious code in shop-api-sdk npm...
Malicious code in shop-api-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0306448f7e93f12777f1ee6bfa83d502c06b0a61ae631c612fabd3f8a5d6021 The package shop-api-sdk was found to contain malicious code. Source: ossf-package-analysis...
MAL-2025-192378 Malicious code in shop-api-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0306448f7e93f12777f1ee6bfa83d502c06b0a61ae631c612fabd3f8a5d6021 The package shop-api-sdk was found to contain malicious code. Source: ossf-package-analysis...