Vendure Core vulnerabilities
2 known vulnerabilities affecting vendure/core.
Total CVEs
2
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-40887P2CRITICALPoC≥ 3.0.0, < 3.5.7≥ 3.6.0, < 3.6.2+1 more2026-04-14
CVE-2026-40887 [CRITICAL] CWE-89 @vendure/core has a SQL Injection vulnerability
@vendure/core has a SQL Injection vulnerability
## Summary
An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite
ghsa
CVE-2026-25050P4LOW≥ 0, < 3.5.32026-01-30
CVE-2026-25050 [LOW] CWE-202 Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
### Summary
The `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).
### Details
In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate me
ghsaosv