Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/spree_api@2.0.1
Typegem
Namespace
Namespree_api
Version2.0.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.10.3
Latest_non_vulnerable_version5.3.2
Affected_by_vulnerabilities
0
url VCID-2acx-2afs-pqb7
vulnerability_id VCID-2acx-2afs-pqb7
summary Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22588
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.01013
published_at 2026-06-13T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.01017
published_at 2026-06-14T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.01007
published_at 2026-06-12T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.01009
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22588
1
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
2
reference_url https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72
reference_id 02acabdce2c5f14fd687335b068d901a957a7e72
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:08:29Z/
url https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72
3
reference_url https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3
reference_id 17e78a91b736b49dbea8d1bb1223c284383ee5f3
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:08:29Z/
url https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3
4
reference_url https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8
reference_id b409c0fd327e7ce37f63238894670d07079eefe8
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:08:29Z/
url https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22588
reference_id CVE-2026-22588
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22588
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-22588.yml
reference_id CVE-2026-22588.YML
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-22588.yml
7
reference_url https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7
reference_id d3f961c442e0015661535cbd6eb22475f76d2dc7
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:08:29Z/
url https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7
8
reference_url https://github.com/advisories/GHSA-g268-72p7-9j6j
reference_id GHSA-g268-72p7-9j6j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g268-72p7-9j6j
9
reference_url https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j
reference_id GHSA-g268-72p7-9j6j
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:08:29Z/
url https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j
fixed_packages
0
url pkg:gem/spree_api@4.10.2
purl pkg:gem/spree_api@4.10.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@4.10.2
1
url pkg:gem/spree_api@5.0.0.rc1
purl pkg:gem/spree_api@5.0.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2acx-2afs-pqb7
1
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.0.0.rc1
2
url pkg:gem/spree_api@5.0.7
purl pkg:gem/spree_api@5.0.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.0.7
3
url pkg:gem/spree_api@5.1.0.beta
purl pkg:gem/spree_api@5.1.0.beta
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2acx-2afs-pqb7
1
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.1.0.beta
4
url pkg:gem/spree_api@5.1.9
purl pkg:gem/spree_api@5.1.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.1.9
5
url pkg:gem/spree_api@5.2.0.rc1
purl pkg:gem/spree_api@5.2.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2acx-2afs-pqb7
1
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.2.0.rc1
6
url pkg:gem/spree_api@5.2.5
purl pkg:gem/spree_api@5.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.2.5
aliases CVE-2026-22588, GHSA-g268-72p7-9j6j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2acx-2afs-pqb7
1
url VCID-cyw4-uvae-bfhu
vulnerability_id VCID-cyw4-uvae-bfhu
summary Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25758
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.11512
published_at 2026-06-14T12:55:00Z
1
value 0.00037
scoring_system epss
scoring_elements 0.11543
published_at 2026-06-13T12:55:00Z
2
value 0.00037
scoring_system epss
scoring_elements 0.11551
published_at 2026-06-12T12:55:00Z
3
value 0.00037
scoring_system epss
scoring_elements 0.11474
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25758
1
reference_url https://github.com/spree/spree
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spree/spree
2
reference_url https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
reference_id 15619618e43b367617ec8d2d4aafc5e54fa7b734
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
3
reference_url https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
reference_id 29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
4
reference_url https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
reference_id 6650f96356faa0d16c05bcb516f1ffd5641741b8
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
5
reference_url https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
reference_id 902d301ac83fd2047db1b9a3a99545162860f748
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
6
reference_url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
reference_id address_book.rb#L16-L38
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
7
reference_url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
reference_id checkout.rb#L241-L254
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25758
reference_id CVE-2026-25758
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25758
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml
reference_id CVE-2026-25758.YML
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml
10
reference_url https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
reference_id ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
11
reference_url https://github.com/advisories/GHSA-87fh-rc96-6fr6
reference_id GHSA-87fh-rc96-6fr6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-87fh-rc96-6fr6
12
reference_url https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
reference_id GHSA-87fh-rc96-6fr6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
13
reference_url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
reference_id permitted_attributes.rb#L92-L96
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
14
reference_url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
reference_id update.rb#L33-L48
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:54Z/
url https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
fixed_packages
0
url pkg:gem/spree_api@4.10.3
purl pkg:gem/spree_api@4.10.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@4.10.3
1
url pkg:gem/spree_api@5.0.0.rc1
purl pkg:gem/spree_api@5.0.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2acx-2afs-pqb7
1
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.0.0.rc1
2
url pkg:gem/spree_api@5.0.8
purl pkg:gem/spree_api@5.0.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.0.8
3
url pkg:gem/spree_api@5.1.0.beta
purl pkg:gem/spree_api@5.1.0.beta
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2acx-2afs-pqb7
1
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.1.0.beta
4
url pkg:gem/spree_api@5.1.10
purl pkg:gem/spree_api@5.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.1.10
5
url pkg:gem/spree_api@5.2.0.rc1
purl pkg:gem/spree_api@5.2.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2acx-2afs-pqb7
1
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.2.0.rc1
6
url pkg:gem/spree_api@5.2.7
purl pkg:gem/spree_api@5.2.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.2.7
7
url pkg:gem/spree_api@5.3.0.rc1
purl pkg:gem/spree_api@5.3.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cyw4-uvae-bfhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.3.0.rc1
8
url pkg:gem/spree_api@5.3.2
purl pkg:gem/spree_api@5.3.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/spree_api@5.3.2
aliases CVE-2026-25758, GHSA-87fh-rc96-6fr6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cyw4-uvae-bfhu
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/spree_api@2.0.1