{"url":"http://public2.vulnerablecode.io/api/packages/1022307?format=json","purl":"pkg:npm/%40vendure/core@3.5.6-master-202603280305","type":"npm","namespace":"@vendure","name":"core","version":"3.5.6-master-202603280305","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.5.7","latest_non_vulnerable_version":"3.6.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89868?format=json","vulnerability_id":"VCID-k1vr-fgbd-v7gb","summary":"@vendure/core has a SQL Injection vulnerability\n## Summary\n\nAn unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite).\n\nThe Admin API is also affected, though exploitation there requires authentication.\n\n## Affected versions\n\n- `@vendure/core` < 2.3.4\n- `@vendure/core` >= 3.0.0, < 3.5.7\n- `@vendure/core` >= 3.6.0, < 3.6.2\n\nNote: versions 2.3.4 and above in the 2.x line are patched. There were no 2.4.x or 2.x releases between 2.3.x and 3.0.0.\n\n## Patched versions\n\n- `@vendure/core` 2.3.4\n- `@vendure/core` 3.5.7\n- `@vendure/core` 3.6.2\n\n## Details\n\nIn `ProductService.findOneBySlug`, the request context's `languageCode` value is interpolated into a SQL `CASE` expression via a JavaScript template literal:\n\n```ts\n.addSelect(\n    `CASE translation.languageCode WHEN '${ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`,\n    'sort_order',\n)\n```\n\nTypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder.\n\nThe `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is.\n\n## Attack vector\n\nAn unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation.\n\n## Mitigation\n\n**Upgrade to a patched version immediately.**\n\nIf you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query:\n\n```ts\nprivate getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined {\n    const queryLanguageCode = req.query?.languageCode as string | undefined;\n    const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode);\n    return (\n        (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ??\n        channel.defaultLanguageCode ??\n        this.configService.defaultLanguageCode\n    );\n}\n```\n\nThis replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead.\n\nThe patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40887","reference_id":"","reference_type":"","scores":[{"value":"0.07704","scoring_system":"epss","scoring_elements":"0.92087","published_at":"2026-06-09T12:55:00Z"},{"value":"0.07704","scoring_system":"epss","scoring_elements":"0.92076","published_at":"2026-06-05T12:55:00Z"},{"value":"0.07704","scoring_system":"epss","scoring_elements":"0.92073","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07704","scoring_system":"epss","scoring_elements":"0.92071","published_at":"2026-06-07T12:55:00Z"},{"value":"0.07704","scoring_system":"epss","scoring_elements":"0.92072","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40887"},{"reference_url":"https://github.com/vendurehq/vendure","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vendurehq/vendure"},{"reference_url":"https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:40:47Z/"}],"url":"https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40887","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40887"},{"reference_url":"https://github.com/advisories/GHSA-9pp3-53p2-ww9v","reference_id":"GHSA-9pp3-53p2-ww9v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9pp3-53p2-ww9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111090?format=json","purl":"pkg:npm/%40vendure/core@3.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/111091?format=json","purl":"pkg:npm/%40vendure/core@3.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.6.2"}],"aliases":["CVE-2026-40887","GHSA-9pp3-53p2-ww9v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k1vr-fgbd-v7gb"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.5.6-master-202603280305"}