RubyGems package
spree_api
pkg:gem/spree_api
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25758 | — | < 4.10.3 | 4.10.3 | Feb 6, 2026 | Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unaut | ||
| CVE-2026-22588 | — | >= 3.7.0, < 4.10.2 | 4.10.2 | Jan 8, 2026 | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address inform | ||
| CVE-2020-26223 | — | >= 3.7.0, < 3.7.13 | 3.7.13 | Nov 13, 2020 | Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string |
- CVE-2026-25758Feb 6, 2026affected < 4.10.3fixed 4.10.3
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unaut
- CVE-2026-22588Jan 8, 2026affected >= 3.7.0, < 4.10.2fixed 4.10.2
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address inform
- CVE-2020-26223Nov 13, 2020affected >= 3.7.0, < 3.7.13fixed 3.7.13
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string