VulnerableCode Package Details - pkg:gem/spree

Search for packages

Vulnerability	Summary	Fixed by
VCID-qmcc-5swe-gkgf Aliases: CVE-2026-25758 GHSA-87fh-rc96-6fr6	Unauthenticated Spree Commerce users can access all guest addresses A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.	5.2.7 Affected by 0 other vulnerabilities. 5.3.0.rc1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-qmcc-5swe-gkgf
Aliases:
CVE-2026-25758
GHSA-87fh-rc96-6fr6

Unauthenticated Spree Commerce users can access all guest addresses A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.

5.2.7
Affected by 0 other vulnerabilities.

5.3.0.rc1
Affected by 1 other vulnerability.

5.3.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cwev-75xu-dfbb	Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification An Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response.	CVE-2026-22588 GHSA-g268-72p7-9j6j

Vulnerability

Summary

Aliases

VCID-cwev-75xu-dfbb

Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification An Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response.

CVE-2026-22588
GHSA-g268-72p7-9j6j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:50:20.319790+00:00	GitLab Importer	Affected by	VCID-qmcc-5swe-gkgf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2026-25758.yml	38.6.0
2026-06-05T21:55:01.998340+00:00	GHSA Importer	Fixing	VCID-cwev-75xu-dfbb	https://github.com/advisories/GHSA-g268-72p7-9j6j	38.6.0
2026-06-04T18:15:57.641746+00:00	Ruby Importer	Affected by	VCID-qmcc-5swe-gkgf	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml	38.6.0
2026-06-04T16:54:38.694166+00:00	GithubOSV Importer	Fixing	VCID-cwev-75xu-dfbb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-g268-72p7-9j6j/GHSA-g268-72p7-9j6j.json	38.6.0
2026-06-02T04:49:25.083668+00:00	GitLab Importer	Fixing	VCID-cwev-75xu-dfbb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2026-22588.yml	38.6.0