Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/953496?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/953496?format=api", "purl": "pkg:npm/%40vendure/core@3.1.0-next.2", "type": "npm", "namespace": "@vendure", "name": "core", "version": "3.1.0-next.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.5.7", "latest_non_vulnerable_version": "3.6.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89868?format=api", "vulnerability_id": "VCID-k1vr-fgbd-v7gb", "summary": "@vendure/core has a SQL Injection vulnerability\n## Summary\n\nAn unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite).\n\nThe Admin API is also affected, though exploitation there requires authentication.\n\n## Affected versions\n\n- `@vendure/core` < 2.3.4\n- `@vendure/core` >= 3.0.0, < 3.5.7\n- `@vendure/core` >= 3.6.0, < 3.6.2\n\nNote: versions 2.3.4 and above in the 2.x line are patched. There were no 2.4.x or 2.x releases between 2.3.x and 3.0.0.\n\n## Patched versions\n\n- `@vendure/core` 2.3.4\n- `@vendure/core` 3.5.7\n- `@vendure/core` 3.6.2\n\n## Details\n\nIn `ProductService.findOneBySlug`, the request context's `languageCode` value is interpolated into a SQL `CASE` expression via a JavaScript template literal:\n\n```ts\n.addSelect(\n `CASE translation.languageCode WHEN '${ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`,\n 'sort_order',\n)\n```\n\nTypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder.\n\nThe `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is.\n\n## Attack vector\n\nAn unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation.\n\n## Mitigation\n\n**Upgrade to a patched version immediately.**\n\nIf you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query:\n\n```ts\nprivate getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined {\n const queryLanguageCode = req.query?.languageCode as string | undefined;\n const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode);\n return (\n (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ??\n channel.defaultLanguageCode ??\n this.configService.defaultLanguageCode\n );\n}\n```\n\nThis replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead.\n\nThe patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07704", "scoring_system": "epss", "scoring_elements": "0.92073", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.07704", "scoring_system": "epss", "scoring_elements": "0.92072", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.07704", "scoring_system": "epss", "scoring_elements": "0.92071", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.07704", "scoring_system": "epss", "scoring_elements": "0.92076", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40887" }, { "reference_url": "https://github.com/vendurehq/vendure", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vendurehq/vendure" }, { "reference_url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:40:47Z/" } ], "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40887", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40887" }, { "reference_url": "https://github.com/advisories/GHSA-9pp3-53p2-ww9v", "reference_id": "GHSA-9pp3-53p2-ww9v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9pp3-53p2-ww9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111090?format=api", "purl": "pkg:npm/%40vendure/core@3.5.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.5.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/111091?format=api", "purl": "pkg:npm/%40vendure/core@3.6.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.6.2" } ], "aliases": [ "CVE-2026-40887", "GHSA-9pp3-53p2-ww9v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k1vr-fgbd-v7gb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49903?format=api", "vulnerability_id": "VCID-mvja-dec5-6qf2", "summary": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy\nThe `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25050", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06133", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06069", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06116", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0612", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25050" }, { "reference_url": "https://github.com/vendurehq/vendure", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vendurehq/vendure" }, { "reference_url": "https://github.com/vendurehq/vendure/commit/7f0c5556ecddb44a5d5208677a45fdd5923b0cc9", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vendurehq/vendure/commit/7f0c5556ecddb44a5d5208677a45fdd5923b0cc9" }, { "reference_url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-30T15:45:23Z/" } ], "url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25050", "reference_id": "CVE-2026-25050", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25050" }, { "reference_url": "https://github.com/advisories/GHSA-6f65-4fv2-wwch", "reference_id": "GHSA-6f65-4fv2-wwch", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6f65-4fv2-wwch" }, { "reference_url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch", "reference_id": "GHSA-6f65-4fv2-wwch", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-30T15:45:23Z/" } ], "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73753?format=api", "purl": "pkg:npm/%40vendure/core@3.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-k1vr-fgbd-v7gb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.5.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/953683?format=api", "purl": "pkg:npm/%40vendure/core@3.6.0-minor-202511061550", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.6.0-minor-202511061550" } ], "aliases": [ "CVE-2026-25050", "GHSA-6f65-4fv2-wwch" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mvja-dec5-6qf2" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540vendure/core@3.1.0-next.2" }