VulnerableCode Package Details - pkg:gem/spree

Search for packages

Vulnerability	Summary	Fixed by
VCID-2acx-2afs-pqb7 Aliases: CVE-2026-22588 GHSA-g268-72p7-9j6j	Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.	5.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.1.0.beta Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.2.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-cyw4-uvae-bfhu Aliases: CVE-2026-25758 GHSA-87fh-rc96-6fr6	Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.	5.0.8 Affected by 0 other vulnerabilities. 5.1.0.beta Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.10 Affected by 0 other vulnerabilities. 5.2.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.7 Affected by 0 other vulnerabilities. 5.3.0.rc1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2acx-2afs-pqb7
Aliases:
CVE-2026-22588
GHSA-g268-72p7-9j6j

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.

5.0.7
Affected by 1 other vulnerability.

5.1.0.beta
Affected by 2 other vulnerabilities.

5.1.9
Affected by 1 other vulnerability.

5.2.0.rc1
Affected by 2 other vulnerabilities.

5.2.5
Affected by 1 other vulnerability.

VCID-cyw4-uvae-bfhu
Aliases:
CVE-2026-25758
GHSA-87fh-rc96-6fr6

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

5.0.8
Affected by 0 other vulnerabilities.

5.1.0.beta
Affected by 2 other vulnerabilities.

5.1.10
Affected by 0 other vulnerabilities.

5.2.0.rc1
Affected by 2 other vulnerabilities.

5.2.7
Affected by 0 other vulnerabilities.

5.3.0.rc1
Affected by 1 other vulnerability.

5.3.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2acx-2afs-pqb7	Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.	CVE-2026-22588 GHSA-g268-72p7-9j6j
VCID-cyw4-uvae-bfhu	Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.	CVE-2026-25758 GHSA-87fh-rc96-6fr6

Vulnerability

Summary

Aliases

VCID-2acx-2afs-pqb7

CVE-2026-22588
GHSA-g268-72p7-9j6j

VCID-cyw4-uvae-bfhu

CVE-2026-25758
GHSA-87fh-rc96-6fr6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T09:27:21.271332+00:00	Ruby Importer	Affected by	VCID-cyw4-uvae-bfhu	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml	38.6.0
2026-06-13T09:27:02.146828+00:00	Ruby Importer	Affected by	VCID-2acx-2afs-pqb7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-22588.yml	38.6.0
2026-06-12T20:56:35.625484+00:00	GitLab Importer	Fixing	VCID-cyw4-uvae-bfhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2026-25758.yml	38.6.0
2026-06-12T20:44:25.671127+00:00	GitLab Importer	Fixing	VCID-2acx-2afs-pqb7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2026-22588.yml	38.6.0