VYPR

npm package

@vendure/core

pkg:npm/%40vendure/core

Vulnerabilities (2)

  • CVE-2026-40887CriApr 21, 2026
    affected >= 3.0.0, < 3.5.7fixed 3.5.7

    Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a r

  • CVE-2026-25050Jan 30, 2026
    affected < 3.5.3fixed 3.5.3

    Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-a