Skip to main content

Spree

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-25757 Ruby MEDIUM POC PATCH This Month

Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Ruby Spree
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25758 Ruby HIGH POC PATCH This Week

Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Ruby DNS Spree
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22589 Ruby HIGH POC PATCH This Week

Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Ruby Spree
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22588 Ruby MEDIUM POC PATCH This Month

Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.

Ruby Spree
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25757 Ruby
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Ruby Spree
NVD GitHub
CVE-2026-25758 Ruby
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Ruby DNS Spree
NVD GitHub
CVE-2026-22589 Ruby
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Ruby Spree
NVD GitHub
CVE-2026-22588 Ruby
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.

Ruby Spree
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy