{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:24:59.525Z", "dateUpdated": "2026-04-22T13:41:11.124Z"}, "containers": {"cna": {"title": "@vendure/core has a SQL Injection vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v"}], "affected": [{"vendor": "vendurehq", "product": "vendure", "versions": [{"version": ">= 3.0.0, < 3.5.7", "status": "affected"}, {"version": ">= 3.6.0, < 3.6.2", "status": "affected"}, {"version": ">= 1.7.4, < 2.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:24:59.525Z"}, "descriptions": [{"lang": "en", "value": "Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth."}], "source": {"advisory": "GHSA-9pp3-53p2-ww9v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:40:47.546973Z", "id": "CVE-2026-40887", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:41:11.124Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:40:47.546973Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:41:06.886Z"}}], "cna": {"title": "@vendure/core has a SQL Injection vulnerability", "source": {"advisory": "GHSA-9pp3-53p2-ww9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vendurehq", "product": "vendure", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.5.7"}, {"status": "affected", "version": ">= 3.6.0, < 3.6.2"}, {"status": "affected", "version": ">= 1.7.4, < 2.3.4"}]}], "references": [{"url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v", "name": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:24:59.525Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40887", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:41:11.124Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:24:59.525Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth."}], "id": "CVE-2026-40887", "lastModified": "2026-04-22T21:08:48.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.397", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.5.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.6.0,3.6.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.7.4,2.3.4)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "vendure", "source": "cna", "vendor": "vendurehq"}, "product": "vendure", "vendor": "vendure"}], "analysis": {"en": {"generated_at": "2026-04-22T15:06:56.104002+00:00", "value": {"mitigation_remediation": ["Upgrade Vendure to version 2.3.4 or newer (or 3.5.7/3.6.2 for supported branches).", "If immediate upgrade is not possible, apply the hotfix that validates languageCode at the boundary by replacing RequestContextService.getLanguageCode.", "Configure the application to restrict allowed language codes and enforce strict input validation to prevent malformed values."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection leading to arbitrary SQL execution"}, "threat_synthesis": {"affected_systems": "The vulnerable component is found in vendurehq's Vendure project. Versions starting at 1.7.4 and up to, but not including, 2.3.4, 3.5.7, and 3.6.2 are impacted. All database backends supported by the platform\u2014PostgreSQL, MySQL/MariaDB, and SQLite\u2014are affected. The Admin API is also exposed to the same issue, though it requires authentication to exploit. Upgraded releases 2.3.4, 3.5.7, and 3.6.2 contain the remediation.", "description_and_impact": "Vendure, an open\u2011source headless commerce platform, contains an unauthenticated SQL injection flaw in its Shop API. The vulnerability arises from a user\u2011controlled query string parameter that is directly interpolated into a raw SQL expression without parameterization or validation. Because of this, an attacker can craft malicious input that will be executed against the database, enabling the execution of arbitrary SQL commands. This flaw is classified as CWE\u201189 and can result in data theft, modification, or loss of database integrity.", "risk_and_exploitability": "The CVSS score for this vulnerability is 9.1, indicating a critical rating. EPSS is 5%, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is unauthenticated remote access to the Shop API, where the attacker supplies a crafted query string. If authentication is present (Admin API), the attacker needs valid credentials. The remedy is straightforward: update to a patched version or apply the provided hotfix that validates the languageCode value before it reaches the raw SQL layer, thereby blocking injection payloads."}}}}, "created": "2026-04-22T06:45:10.880514+00:00", "updated": "2026-04-22T15:15:16.421135+00:00", "vendors": ["vendure", "vendure$PRODUCT$vendure"]}