CVE-2026-25757— Spree 安全漏洞

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

N/A

通过用户控制密钥绕过授权机制

Spree 安全漏洞

Spree是个人开发者的一款采用Ruby on Rails开发的开源商城。 Spree 5.0.8之前版本、5.1.10之前版本、5.2.7之前版本和5.3.2之前版本存在安全漏洞，该漏洞源于未经验证的用户可以查看已完成的访客订单，可能导致访客用户的个人信息泄露。

N/A

N/A