Home/Product/spreecommerce spree
Product

spreecommerce spree

13 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-25757
< 5.0.8
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthent
5.3MEDIUM
 CVE-2026-25758
< 4.10.3
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's gue
7.5HIGH
 CVE-2026-22589
< 4.10.2
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauth
7.5HIGH
 CVE-2026-22588
< 4.10.2
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authen
6.5MEDIUM
 CVE-2011-10026
< 0.50.1
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Imprope
9.8CRITICAL
 CVE-2011-10019
< 0.60.2
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The applicat
9.8CRITICAL
 CVE-2020-26223
>= 3.7.0 and < 3.7.13
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13
7.7HIGH
 CVE-2020-15269
< 3.7.11
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The is
7.4HIGH
 CVE-2013-2506
all versions
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safel
 CVE-2013-1656
<= 1.3.2
Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute ar
 CVE-2008-7311
all versions
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret ke
 CVE-2008-7310
all versions
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers
 CVE-2010-3978
all versions
Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh