VulnerableCode Package Details - pkg:gem/spree

Search for packages

Vulnerability	Summary	Fixed by
VCID-cwev-75xu-dfbb Aliases: CVE-2026-22588 GHSA-g268-72p7-9j6j	Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification An Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response.	4.10.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.1.0.beta Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.2.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qmcc-5swe-gkgf Aliases: CVE-2026-25758 GHSA-87fh-rc96-6fr6	Unauthenticated Spree Commerce users can access all guest addresses A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.	4.10.3 Affected by 0 other vulnerabilities. 5.0.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.8 Affected by 0 other vulnerabilities. 5.1.0.beta Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.10 Affected by 0 other vulnerabilities. 5.2.0.rc1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.7 Affected by 0 other vulnerabilities. 5.3.0.rc1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities.
VCID-yqz2-9hru-wkcs Aliases: CVE-2020-26223 GHSA-m2jr-hmc3-qmpr	Authorization bypass in Spree ### Impact The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.	4.0.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.1.12 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-cwev-75xu-dfbb
Aliases:
CVE-2026-22588
GHSA-g268-72p7-9j6j

Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification An Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response.

4.10.2
Affected by 1 other vulnerability.

5.0.0.rc1
Affected by 2 other vulnerabilities.

5.0.7
Affected by 1 other vulnerability.

5.1.0.beta
Affected by 2 other vulnerabilities.

5.1.9
Affected by 1 other vulnerability.

5.2.0.rc1
Affected by 2 other vulnerabilities.

5.2.5
Affected by 1 other vulnerability.

VCID-qmcc-5swe-gkgf
Aliases:
CVE-2026-25758
GHSA-87fh-rc96-6fr6

Unauthenticated Spree Commerce users can access all guest addresses A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions.

4.10.3
Affected by 0 other vulnerabilities.

5.0.0.rc1
Affected by 2 other vulnerabilities.

5.0.8
Affected by 0 other vulnerabilities.

5.1.0.beta
Affected by 2 other vulnerabilities.

5.1.10
Affected by 0 other vulnerabilities.

5.2.0.rc1
Affected by 2 other vulnerabilities.

5.2.7
Affected by 0 other vulnerabilities.

5.3.0.rc1
Affected by 1 other vulnerability.

5.3.2
Affected by 0 other vulnerabilities.

VCID-yqz2-9hru-wkcs
Aliases:
CVE-2020-26223
GHSA-m2jr-hmc3-qmpr

Authorization bypass in Spree ### Impact The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

4.0.5
Affected by 2 other vulnerabilities.

4.1.12
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:50:19.483177+00:00	GitLab Importer	Affected by	VCID-qmcc-5swe-gkgf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2026-25758.yml	38.6.0
2026-06-06T06:36:03.587202+00:00	GitLab Importer	Affected by	VCID-cwev-75xu-dfbb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2026-22588.yml	38.6.0
2026-06-04T20:41:07.333929+00:00	GitLab Importer	Affected by	VCID-yqz2-9hru-wkcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_api/CVE-2020-26223.yml	38.6.0
2026-06-04T18:15:57.413470+00:00	Ruby Importer	Affected by	VCID-qmcc-5swe-gkgf	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-25758.yml	38.6.0
2026-06-04T18:15:46.460748+00:00	Ruby Importer	Affected by	VCID-cwev-75xu-dfbb	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2026-22588.yml	38.6.0