CNNVD-202601-1746 Information

Jan 10, 2026 cve

CNNVD ID

CNNVD-202601-1746

CVE-2026-22589

  • CNNVD Published: 2026-01-10

Description (Chinese)

Spree Commerce是Spree开源的一个电子商务平台。 Spree Commerce 4.10.2之前版本、5.0.7之前版本、5.1.9之前版本和5.2.5之前版本存在安全漏洞,该漏洞源于未经身份验证的不安全直接对象引用,可能导致未经身份验证的攻击者无需提供有效凭据或会话cookie即可访问访客地址信息。

Description (English)

Spree Commerce is an open-source e-commerce platform. There is a security loophole in the pre-Spree Common 4.10.2, pre-5.07, pre-5.1.9 and pre-5.2.5 that stems from unidentified, unsafe direct object references, which may lead to visitors ’ address information being accessed by unidentified assailants without the need for a valid document or conversation cookie.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

Spree

Published

2026-01-10

Last Modified

2026-02-24

References

https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795 https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67 https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr

Patch

https://github.com/spree/spree/releases

Share on: