CVE-2026-40887
Description
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses RequestContextService.getLanguageCode to validate the languageCode input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing getLanguageCode method in packages/core/src/service/helpers/request-context/request-context.service.ts. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@vendure/corenpm | >= 3.0.0, < 3.5.7 | 3.5.7 |
@vendure/corenpm | >= 3.6.0, < 3.6.2 | 3.6.2 |
@vendure/corenpm | >= 1.7.4, < 2.3.4 | 2.3.4 |
Affected products
1Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.