cbcvebase.
CVE-2026-40887
published 2026-04-21

CVE-2026-40887: Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection…

PriorityP273critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
1.76%
75.2th percentile
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

Affected

6 ranges
VendorProductVersion rangeFixed in
vendurecore>= 1.7.4 < 2.3.42.3.4
vendurecore>= 3.0.0 < 3.5.73.5.7
vendurecore>= 3.6.0 < 3.6.23.6.2
vendurehqvendure
vendurehqvendure
vendurehqvendure

Detection & IOCsextracted from sources · hover to see the quote

url/shop-api?languageCode=en'+AND+EXTRACTVALUE(5202,CONCAT(0x5c,(SELECT+MD5('999999999')))+AND+'ptic'%3d'ptic
path/shop-api
otherEXTRACTVALUE(5202,CONCAT(0x5c,(SELECT MD5(...))))
  • Detect SQL injection attempts via the languageCode query parameter on the /shop-api endpoint — look for SQL keywords or error-based payloads (e.g., EXTRACTVALUE, CONCAT, SELECT) in the languageCode value.
  • Fingerprint Vendure Shop API instances by checking for the presence of the vendure-auth-token HTTP response header.
  • Exploitation is unauthenticated via the Shop API (/shop-api); the Admin API is also affected but requires authentication. Monitor POST requests to /shop-api with a languageCode parameter containing SQL metacharacters (single quotes, AND, SELECT, etc.).
  • The vulnerable code path is ProductService.findOneBySlug — trace SQL queries originating from this method for anomalous CASE expression content injected via languageCode.
  • The proof-of-concept uses a GraphQL query for product(slug: ...) combined with a malicious languageCode — correlate GraphQL product slug queries with suspicious languageCode parameter values in the same request.
  • ·The Admin API is also vulnerable to the same SQL injection but requires authentication to exploit, reducing its unauthenticated attack surface.
  • ·All supported database backends are affected (PostgreSQL, MySQL/MariaDB, SQLite), so detection and remediation must be applied regardless of the database engine in use.
  • ·A hotfix is available that validates languageCode at the boundary using RequestContextService.getLanguageCode; invalid values are silently dropped and the channel's default language is used instead — this may mask injection attempts in logs if the hotfix is applied without additional logging.
  • ·The vulnerability is present starting from version 1.7.4; patched versions are 2.3.4, 3.5.7, and 3.6.2.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.