Browse all 7 CVE security advisories affecting spree. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Spree is an open-source e-commerce platform built on Ruby on Rails, serving as a core solution for online retailers. Historically, it has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting (XSS), and privilege escalation flaws, with seven CVEs documented to date. Notable security characteristics include its modular architecture, which can introduce complex dependency chains, and past incidents where authentication bypasses allowed unauthorized administrative access. The platform's frequent updates and active community help mitigate risks, but developers must remain vigilant about third-party extensions and proper configuration to prevent exploitation.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-25757 | Unauthenticated Spree Commerce users can view completed guest orders by Order ID — spreeCWE-639 | 5.3AI | MediumAI | 2026-02-06 |
| CVE-2026-25758 | Spree allows unauthenticated users can access all guest addresses — spreeCWE-639 | 6.5AI | MediumAI | 2026-02-06 |
| CVE-2026-22589 | Spree API has Unauthenticated IDOR - Guest Address — spreeCWE-639 | 7.5 | High | 2026-01-10 |
| CVE-2026-22588 | Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification — spreeCWE-639 | 6.5 | Medium | 2026-01-08 |
| CVE-2021-41275 | Authentication Bypass by CSRF Weakness — spree_auth_deviseCWE-352 | 9.3 | Critical | 2021-11-17 |
| CVE-2020-26223 | Authorization bypass in Spree — spreeCWE-863 | 7.7 | High | 2020-11-13 |
| CVE-2020-15269 | Expired token reuse in Spree — spreeCWE-287 | 7.4 | High | 2020-10-20 |
This page lists every published CVE security advisory associated with spree. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.