VYPR
← All advisories
Critical severityNVD Advisory· Published Aug 20, 2025· Updated Apr 7, 2026

Spreecommerce < 0.50.x API RCE

CVE-2011-10026

Description

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated remote command execution in Spree Commerce API search via Ruby's send method and instance_eval parameter injection.

Vulnerability

Overview

CVE-2011-10026 is a remote command execution vulnerability in Spree Commerce versions prior to 0.50.x. The flaw resides in the API's search functionality, where user-supplied input is passed unsanitized to the search[instance_eval] parameter. This parameter is dynamically invoked using Ruby's send method, allowing an attacker to inject arbitrary shell commands that are executed on the server [2].

Attack

Vector and Exploitation

The vulnerability is exploitable by unauthenticated attackers who can craft HTTP requests to the Spree API's search endpoint. By manipulating the search[instance_eval parameter within the search hash, an attacker can bypass input validation and cause the server to evaluate arbitrary Ruby code or shell commands. The lack of authentication requirements and the direct use of user input in a dynamic send call make this a straightforward attack vector [2].

Impact

Successful exploitation grants the attacker full remote command execution of arbitrary commands on the underlying server with the privileges of the Spree application's privileges. This can lead to full compromise of the e-commerce platform, including access to customer data, payment information, and the ability to modify site content or pivot to internal networks [2].

Mitigation

The vulnerability was addressed in Spree 0.50.x by migrating from the searchlogic library to meta_search, which eliminated the dangerous instance_eval pattern. The commit [4] shows the code change that replaced the vulnerable searchlogic call with a safer search method. Users running versions prior to 0.50.x should upgrade immediately. No workaround is available for unpatched versions [2][4].

References
  1. NVD - CVE-2011-10026
  2. migrate code from searchlogic to meta_search · spree/spree@0a9a360

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spreeRubyGems
>= 0.30.0.beta1, < 0.50.00.50.0
rd_searchlogicRubyGems
<= 3.0.1

Affected products

2

Patches

2
0a9a360c5908

migrate code from searchlogic to meta_search

https://github.com/spree/spreeNeeraj SinghFeb 2, 2011via ghsa
commit
3 files changed · +25 16
  • core/app/controllers/admin/orders_controller.rb+14 5 modified
    @@ -71,10 +71,14 @@ def collection
 
     if params[:search].present?
       if params[:search].delete(:completed_at_not_null) == "1"
-        params[:search][:completed_at_not_null] = "1"
+        raise 'boom'
+        params[:search][:completed_at_is_not_null] = true
+      else
+        raise 'boom'
+        params[:search][:completed_at_is_not_null] = false
       end
     else
-      params[:search][:completed_at_not_null] = "1"
+      params[:search][:completed_at_is_not_null] = true
     end
 
     if !params[:search][:completed_at_greater_than].blank?
@@ -85,13 +89,18 @@ def collection
       params[:search][:completed_at_less_than] = Time.zone.parse(params[:search][:completed_at_less_than]).end_of_day rescue ""
     end
 
-    params[:search][:order] ||= "descend_by_completed_at"
-    @search = Order.searchlogic(params[:search])
+    if order = params[:search].delete(:order)
+      params[:search][:meta_sort] = order
+    else
+      params[:search][:meta_sort] = 'completed_at.desc'
+    end
+
+    @search = Order.search(params[:search])
 
     # QUERY - get per_page from form ever???  maybe push into model
     # @search.per_page ||= Spree::Config[:orders_per_page]
 
-    @collection = @search.do_search.paginate(:include  => [:user, :shipments, :payments],
+    @collection = @search.paginate(:include  => [:user, :shipments, :payments],
                                    :per_page => Spree::Config[:orders_per_page],
                                    :page     => params[:page])
   end
  • core/app/controllers/admin/products_controller.rb+1 1 modified
    @@ -91,7 +91,7 @@ def collection
       params[:search] = {} if params[:search].nil?
       params[:search][:order] ||= "ascend_by_name"
       tmp = params[:search].except(:deleted_at_not_null)
-      @search = end_of_association_chain.searchlogic(tmp)
+      @search = end_of_association_chain.search(tmp)
       @search.order ||= "ascend_by_name"
 
       pagination_options = {:include   => {:variants => [:images, :option_values]},
  • core/app/views/admin/orders/index.html.erb+10 10 modified
    @@ -10,13 +10,13 @@
   <thead>
     <tr>
       <%= hook :admin_orders_index_headers do %>
-        <th><%= order @search, :by => :completed_at,     :as => t("order_date") %></th>
-        <th><%= order @search, :by => :number,           :as => t("order_number") %></th>
-        <th><%= order @search, :by => :state,            :as => t("status") %></th>
-        <th><%= order @search, :by => :payment_state,    :as => t("payment_state") %></th>
-        <th><%= order @search, :by => :shipment_state,   :as => t("shipment_state") %></th>
-        <th><%= order @search, :by => :email,            :as => t("customer") %></th>
-        <th><%= order @search, :by => :total,            :as => t("total") %></th>
+        <th><%= sort_link @search, :completed_at,   t("order_date") %></th>
+        <th><%= sort_link @search, :number,         t("order_number") %></th>
+        <th><%= sort_link @search, :state,          t("status") %></th>
+        <th><%= sort_link @search, :payment_state,  t("payment_state") %></th>
+        <th><%= sort_link @search, :shipment_state, t("shipment_state") %></th>
+        <th><%= sort_link @search, :email,          t("customer") %></th>
+        <th><%= sort_link @search, :total,          t("total") %></th>
       <% end %>
       <th>
         <%= hook :admin_orders_index_header_actions %>
@@ -79,14 +79,14 @@
       </p>
       <p>
       <label><%= t 'first_name_begins_with' %></label><br />
-          <%= f.text_field :bill_address_firstname_begins_with, :size=>25 %>
+          <%= f.text_field :bill_address_firstname_starts_with, :size=>25 %>
       </p>
       <p>
         <label><%= t 'last_name_begins_with' %></label><br />
-        <%= f.text_field :bill_address_lastname_begins_with, :size=>25 %>
+        <%= f.text_field :bill_address_lastname_starts_with, :size=>25 %>
       </p>
       <p>
-        <%= f.check_box :completed_at_not_null, {:style => "vertical-align:middle;"} %>
+        <%= f.check_box :completed_at_is_not_null, {:style => "vertical-align:middle;"} %>
         <label>
           <%= t("show_only_complete_orders") %>
         </label>
3b559e7219f3

switch from rd_searchlogic to meta_search gem

https://github.com/spree/spreeNeeraj SinghFeb 2, 2011via ghsa
commit
2 files changed · +2 2
  • core/lib/spree_core.rb+1 1 modified
    @@ -36,8 +36,8 @@
 require 'awesome_nested_set'
 require 'acts_as_list'
 require 'resource_controller'
-require 'searchlogic'
 require 'active_merchant'
+require "meta_search"
 
 require 'spree_core/ext/active_record'
  • core/spree_core.gemspec+1 1 modified
    @@ -28,7 +28,7 @@ Gem::Specification.new do |s|
   s.add_dependency('faker', '= 0.9.4')
   s.add_dependency('paperclip', '= 2.3.8')
   s.add_dependency('rd_resource_controller')
-  s.add_dependency('rd_searchlogic', '= 3.0.1')
+  s.add_dependency('meta_search', '= 1.0.1')
   s.add_dependency('activemerchant', '= 1.9.0')
   s.add_dependency('will_paginate', '= 3.0.pre2')
   s.add_dependency('rails', '= 3.0.3')

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.