Spreecommerce < 0.60.2 Search Parameter RCE
Description
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spreecommerce before 0.60.2 has unauthenticated remote command execution via search[send][] parameter due to unsanitized input to Ruby's send method.
Vulnerability
Spreecommerce versions prior to 0.60.2 contain a remote command execution vulnerability in the search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby's send method [1][2]. This allows arbitrary method calls on the underlying objects.
Exploitation
An attacker can exploit this by sending a crafted HTTP request to the search endpoint without authentication. The Metasploit module demonstrates a payload that uses Kernel.fork to execute shell commands [4]. The exploit requires no authentication and is accessible from the network.
Impact
Successful exploitation grants an unauthenticated attacker the ability to execute arbitrary shell commands on the server, leading to full system compromise [2][4]. The vulnerability can be used to gain remote code execution, data exfiltration, or further lateral movement.
Mitigation
The vulnerability was patched in Spreecommerce version 0.60.2 [1][2]. Users running earlier versions should upgrade immediately. A Metasploit exploit module is publicly available, increasing the risk of active exploitation [4].
- GitHub - spree/spree: Open-source headless eCommerce platform with REST API, TypeScript SDK, and Next.js storefront for cross-border, B2B or marketplace eCommerce.
- NVD - CVE-2011-10019
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
spreeRubyGems | < 0.60.2 | 0.60.2 |
Affected products
2- Range: <0.60.2
- Spreecommerce/Spreecommercev5Range: *
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rbghsaexploitWEB
- www.exploit-db.com/exploits/17941ghsaexploitWEB
- github.com/advisories/GHSA-97vm-c39p-jr86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-10019ghsaADVISORY
- web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/mitrevendor-advisorypatch
- www.vulncheck.com/advisories/spreecommerce-search-parameter-rceghsathird-party-advisoryWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2011-10019.ymlghsaWEB
- web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-groupghsaWEB
News mentions
0No linked articles in our index yet.