Spree

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-25757 MEDIUM POC PATCH This Month

Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Ruby Spree
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25758 HIGH POC PATCH This Week

Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Ruby Dns Spree
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22589 HIGH POC PATCH This Week

Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Ruby Spree
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22588 MEDIUM POC PATCH This Month

Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.

Ruby Spree
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25757
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Spree versions up to 5.0.8 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Ruby Spree
NVD GitHub
CVE-2026-25758
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Ruby Dns Spree
NVD GitHub
CVE-2026-22589
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Ruby Spree
NVD GitHub
CVE-2026-22588
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Spree e-commerce platform versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5 contain an authenticated insecure direct object reference vulnerability allowing logged-in users to access and retrieve address information belonging to other customers by manipulating address identifiers during order modification. Public exploit code exists for this vulnerability, which has been patched in the aforementioned versions.

Ruby Spree
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy