HIGH🇵🇱 Wersja polska

CVE-2026-22589

CVSS 7.5v3.1pub. 2026-01-10upd. 2026-01-22

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Spreecommerce Spree

    APP
    Spreecommerce
    < 4.10.25.0.0 – 5.0.7 (bez)5.1.0 – 5.1.9 (bez)5.2.0 – 5.2.5 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassIDOR
CWE
References

Related vulnerabilities

CVE-2011-10026CRITICAL9.3PL ✓ten sam produkt

RCE via command injection w API wyszukiwania Spreecommerce Spree

CVE-2011-10019CRITICAL10.0PL ✓ten sam produkt

RCE w Spreecommerce Spree — brak sanitizacji parametru wyszukiwania

CVE-2026-25757HIGH7.7ten sam produkt

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, ...

CVE-2026-25758HIGH7.7ten sam produkt

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in ...

CVE-2020-26223HIGH7.7ten sam produkt

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and be...