CVE-2026-40887

Vendure Core SQL Injection (CVE-2026-40887) affects @vendure/core via Shop API in ProductService.findOneBySlug where languageCode is interpolated into a raw SQL CASE expression without parameterization. Unauthenticated attackers can supply languageCode from the HTTP query string to inject arbitra...

CVE-2026-40887 @vendure/core has a SQL Injection vulnerability

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...

@grupo-loja/vendure-banner-plugin (=1.0.0), @grupo-loja/vendure-conect-envios-plugin (>=1.0.0 <=1.0.1) +54 more potentially affected by CVE-2026-40887 via @vendure/core (>=1.9.5 <=2.2.7)

@vendure/core NPM version =1.9.5, =1.0.0, =0.0.1, =1.0.3, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.2.4 and more Source cves: CVE-2026-40887 Source advisory: OSV:GHSA-9PP3-53P2-WW9V...

SQL Injection

Overview @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to SQL Injection via the ProductService.findOneBySlug function in Admin and Vendure Shop API. An attacker can execute arbitrary SQL commands on the database by supplying a crafted...

@semic/testing (=2.2.11), @vendure/dashboard (>=3.2.2 <=3.4.4) potentially affected by CVE-2026-40887 via @vendure/core (>=3.0.0 <=3.4.4)

@vendure/core NPM version =3.0.0, =3.2.2, =3.4.4 Source cves: CVE-2026-40887 Source advisory: SNYK:JS-VENDURECORE-16068909...

@vendure/core has a SQL Injection vulnerability

Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affec...

@semic/testing (=2.2.11), @vendure/dashboard (>=3.2.2 <=3.4.4) potentially affected by CVE-2026-40887 via @vendure/core (>=3.0.0 <=3.4.4)

@vendure/core NPM version =3.0.0, =3.2.2, =3.4.4 Source cves: CVE-2026-40887 Source advisory: OSV:GHSA-9PP3-53P2-WW9V...

@grupo-loja/vendure-banner-plugin (=1.0.0), @grupo-loja/vendure-conect-envios-plugin (>=1.0.0 <=1.0.1) +54 more potentially affected by CVE-2026-40887 via @vendure/core (>=1.9.5 <=2.2.7)

@vendure/core NPM version =1.9.5, =1.0.0, =0.0.1, =1.0.3, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.2.4 and more Source cves: CVE-2026-40887 Source advisory: SNYK:JS-VENDURECORE-16068909...

GHSA-9PP3-53P2-WW9V @vendure/core has a SQL Injection vulnerability

Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affec...

@glarus-labs/vendure-social-auth (>=0.0.1 <=0.1.1), @grupo-loja/vendure-banner-plugin (=1.0.0) +96 more potentially affected by CVE-2026-25050 via @vendure/core (>=0.11.1 <=3.4.4)

@vendure/core NPM version =0.11.1, =0.0.1, =1.0.0, =1.0.4, =0.0.1, =1.0.3, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.2.3 and more Source cves: CVE-2026-25050 Source advisory: OSV:GHSA-6F65-4FV2-WWCH...

Information Exposure

Overview @vendure/core is an A modern, headless ecommerce framework Affected versions of this package are vulnerable to Information Exposure via the authenticate function. An attacker can determine valid usernames by measuring response times during authentication attempts. Remediation Upgrade...

@semic/testing (=2.2.11), @vendure/dashboard (>=3.2.2 <=3.4.4) potentially affected by CVE-2026-25050 via @vendure/core (>=3.0.0 <=3.4.4)

@vendure/core NPM version =3.0.0, =3.2.2, =3.4.4 Source cves: CVE-2026-25050 Source advisory: SNYK:JS-VENDURECORE-15166603...

@glarus-labs/vendure-social-auth (>=0.0.1 <=0.1.1), @mirahi/vendure-adyen-dropin-plugin (>=0.0.1 <=0.0.5) +40 more potentially affected by unknown CVE via @vendure/core (>=0.11.1 <=2.1.2)

@vendure/core NPM version =0.11.1, =0.0.1, =0.0.1, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.0.0, =2.1.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WM63-7627-CH33...

Cross-Site Request Forgery (CSRF)

@vendure/core is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the defaultConfig because the cookie-session middleware is set to false which in most browsers is interpreted as the secure lax option, but in old browsers gets interpreted as the least secure option, whic...

@glarus-labs/vendure-social-auth (>=0.0.1 <=0.1.1), @mirahi/vendure-adyen-dropin-plugin (>=0.0.1 <=0.0.5) +1 more potentially affected by unknown CVE via @vendure/core (>=0.11.1 <=1.9.6)

@vendure/core NPM version =0.11.1, =0.0.1, =0.0.1, =0.0.5 - @zifahm/vendure-social-auth =0.1.2 Source cves: unknown CVE Source advisory: OSV:GHSA-H9WQ-XCQX-MQXM...