Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-z4ke-cy5c-g7dd
Vulnerability ID VCID-z4ke-cy5c-g7dd
Aliases CVE-2020-26223
GHSA-m2jr-hmc3-qmpr
Summary
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2020-26223
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2020-26223
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2020-26223
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-m2jr-hmc3-qmpr
cvssv3.1 7.7 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
cvssv3.1 7.7 https://github.com/spree/spree
generic_textual HIGH https://github.com/spree/spree
cvssv3.1 7.7 https://github.com/spree/spree/pull/10573
generic_textual HIGH https://github.com/spree/spree/pull/10573
cvssv3 7.7 https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
cvssv3.1 7.7 https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
cvssv3.1_qr HIGH https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
generic_textual HIGH https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
cvssv3.1 7.7 https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
generic_textual HIGH https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
cvssv3.1 7.7 https://nvd.nist.gov/vuln/detail/CVE-2020-26223
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-26223
cvssv3.1 7.7 https://rubygems.org/gems/spree_api/versions
generic_textual HIGH https://rubygems.org/gems/spree_api/versions
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-26223
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
https://github.com/spree/spree
https://github.com/spree/spree/pull/10573
https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
https://nvd.nist.gov/vuln/detail/CVE-2020-26223
https://rubygems.org/gems/spree_api/versions
GHSA-m2jr-hmc3-qmpr https://github.com/advisories/GHSA-m2jr-hmc3-qmpr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/spree/spree
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/spree/spree/pull/10573
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26223
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://rubygems.org/gems/spree_api/versions
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.50465
EPSS Score 0.00267
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-12T01:54:34.285398+00:00 EPSS Importer Import https://epss.cyentia.com/epss_scores-current.csv.gz 38.6.0