CVE-2026-25757

Summary

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Affected Software

VendorProductVersion RangeStatus
spreespree< 5.0.8affected
spreespree>= 5.1.0, < 5.1.10affected
spreespree>= 5.2.0, < 5.2.7affected
spreespree>= 5.3.0, < 5.3.2affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References