Vendurehq Vendure vulnerabilities
2 known vulnerabilities affecting vendurehq/vendure.
Total CVEs
2
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-40887P2CRITICALCVSS 9.1PoCv>= 3.0.0, < 3.5.7v>= 3.6.0, < 3.6.2+1 more2026-04-21
CVE-2026-40887 [CRITICAL] CWE-89 CVE-2026-40887: Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to version
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an
nvd
CVE-2026-25050P4MEDIUMCVSS 5.3fixed in 3.5.32026-01-30
CVE-2026-25050 [MEDIUM] CWE-202 CVE-2026-25050: Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticat
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately
nvd