CVE-2026-25757

HIGH EPSS 35.3%
Published Feb 6, 20264mo ago · Modified Jun 17, 20261w ago
7.7 CVSS 4.0
High
Find Similar
Published Feb 6, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

CVSS Details

Base Score
7.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
35.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-639

Affected Products 4

VendorProductVersionRange
spreecommercespree* <5.0.8
spreecommercespree*≥5.1.0  –  <5.1.10
spreecommercespree*≥5.2.0  –  <5.2.7
spreecommercespree*≥5.3.0  –  <5.3.2

References 8

  • github.com https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
    Patch
  • github.com https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
    Patch
  • github.com https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
    Patch
  • github.com https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
    Patch
  • github.com https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
    Patch
  • github.com https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
    Patch
  • github.com https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
    Patch
  • github.com https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
    Patch
  • github.com https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
    Patch
  • github.com https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
    Patch
  • github.com https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
    Patch
  • github.com https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
    Patch
  • github.com https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
    Patch
  • github.com https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
    Patch