CVE-2026-40887
published 2026-04-21CVE-2026-40887: Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection…
PriorityP273critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
1.76%
75.2th percentile
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vendure | core | >= 1.7.4 < 2.3.4 | 2.3.4 |
| vendure | core | >= 3.0.0 < 3.5.7 | 3.5.7 |
| vendure | core | >= 3.6.0 < 3.6.2 | 3.6.2 |
| vendurehq | vendure | — | — |
| vendurehq | vendure | — | — |
| vendurehq | vendure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/shop-api?languageCode=en'+AND+EXTRACTVALUE(5202,CONCAT(0x5c,(SELECT+MD5('999999999')))+AND+'ptic'%3d'ptic↗
- →Detect SQL injection attempts via the languageCode query parameter on the /shop-api endpoint — look for SQL keywords or error-based payloads (e.g., EXTRACTVALUE, CONCAT, SELECT) in the languageCode value. ↗
- →Fingerprint Vendure Shop API instances by checking for the presence of the vendure-auth-token HTTP response header. ↗
- →Exploitation is unauthenticated via the Shop API (/shop-api); the Admin API is also affected but requires authentication. Monitor POST requests to /shop-api with a languageCode parameter containing SQL metacharacters (single quotes, AND, SELECT, etc.). ↗
- →The vulnerable code path is ProductService.findOneBySlug — trace SQL queries originating from this method for anomalous CASE expression content injected via languageCode. ↗
- →The proof-of-concept uses a GraphQL query for product(slug: ...) combined with a malicious languageCode — correlate GraphQL product slug queries with suspicious languageCode parameter values in the same request. ↗
- ·The Admin API is also vulnerable to the same SQL injection but requires authentication to exploit, reducing its unauthenticated attack surface. ↗
- ·All supported database backends are affected (PostgreSQL, MySQL/MariaDB, SQLite), so detection and remediation must be applied regardless of the database engine in use. ↗
- ·A hotfix is available that validates languageCode at the boundary using RequestContextService.getLanguageCode; invalid values are silently dropped and the channel's default language is used instead — this may mask injection attempts in logs if the hotfix is applied without additional logging. ↗
- ·The vulnerability is present starting from version 1.7.4; patched versions are 2.3.4, 3.5.7, and 3.6.2. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vendurehq vendure up to 2.3.3/3.5.6/3.6.1 Vendure Shop API sql injection
vuldb·2026-04-21·CVSS 9.1
CVE-2026-40887 [CRITICAL] vendurehq vendure up to 2.3.3/3.5.6/3.6.1 Vendure Shop API sql injection
A vulnerability described as critical has been identified in vendurehq vendure up to 2.3.3/3.5.6/3.6.1. This affects an unknown part of the component Vendure Shop API. Such manipulation leads to sql injection.
This vulnerability is referenced as CVE-2026-40887. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
GHSA
@vendure/core has a SQL Injection vulnerability
ghsa·2026-04-14
CVE-2026-40887 [CRITICAL] CWE-89 @vendure/core has a SQL Injection vulnerability
@vendure/core has a SQL Injection vulnerability
## Summary
An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite).
The Admin API is also affected, though exploitation there requires authentication.
## Affected versions
- `@vendure/core` = 3.0.0, = 3.6.0, < 3.6.2
Note: versions 2.3.4 and above in the 2.x line are patched. There were no 2.4.x or 2.x releases between 2.3.x and 3.0.0.
## Patched versions
- `@vendure/core` 2.3.4
- `@vendure/core` 3.5.7
- `@vendure/core` 3.6.2
## Details
No detection rules found.
Nuclei
Vendure Core - SQL Injection
nuclei·CVSS 9.1
CVE-2026-40887 Vendure Core - SQL Injection
Vendure Core - SQL Injection
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.
Template:
id: CVE-2026-40887
info:
name: Vendure Core - SQL Injection
author: theamanrawat
severity: critical
description: |
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated d
No writeups or analysis indexed.
2026-04-21
Published