Platform
nodejs
Component
@vendure/core
Fixed in
3.0.1
3.6.1
1.7.5
3.5.7
CVE-2026-40887 describes an unauthenticated SQL injection vulnerability discovered in the Vendure Shop API. This flaw allows attackers to inject malicious SQL queries directly into the database, potentially leading to unauthorized data access, modification, or deletion. The vulnerability impacts versions 3.0.0 through 3.5.7, and 3.6.0 through 3.6.1 of the @vendure/core component. A fix is available in version 2.3.4.
The impact of this SQL injection vulnerability is severe. An unauthenticated attacker can exploit it to bypass authentication and directly query the database. This allows them to extract sensitive information such as customer data (names, addresses, payment details), product information, order history, and administrative credentials. Successful exploitation could lead to complete data compromise and potentially allow the attacker to take control of the entire Vendure Shop instance. The ability to execute arbitrary SQL also opens the door to data manipulation, including modifying product prices, creating fraudulent orders, or deleting critical data. This vulnerability shares similarities with other SQL injection attacks where database access is gained through manipulating user input.
CVE-2026-40887 was published on 2026-04-14. There is currently no indication of this vulnerability being actively exploited in the wild. The CVSS score of 9.1 (CRITICAL) reflects the high potential impact and ease of exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and severity. Monitor security advisories and threat intelligence feeds for any signs of exploitation.
Exploit Status
EPSS
5.38% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40887 is to immediately upgrade to version 2.3.4 or later of the @vendure/core component. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include strict input validation on all user-supplied query string parameters within the API, using parameterized queries or prepared statements to prevent SQL injection, and implementing a Web Application Firewall (WAF) with rules to detect and block malicious SQL injection attempts. Regularly review and update database access controls to minimize the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.
Actualice el paquete @vendure/core a la versión 2.3.4 o superior, 3.5.7 o superior, o 3.6.2 o superior. Si no puede actualizar inmediatamente, aplique el hotfix proporcionado por Vendure reemplazando el método `getLanguageCode` en `packages/core/src/service/helpers/request-context/request-context.service.ts` para validar la entrada `languageCode`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40887 is a critical SQL injection vulnerability in the Vendure Shop API, allowing attackers to execute arbitrary SQL queries. It affects versions 3.0.0–3.5.7 and 3.6.0–3.6.1 of the @vendure/core component, potentially leading to data breaches and system compromise.
If you are running Vendure Shop API with @vendure/core versions 3.0.0–3.5.7 or 3.6.0–3.6.1, you are affected by this vulnerability. Check your package.json file to confirm your version.
The recommended fix is to upgrade to version 2.3.4 or later of the @vendure/core component. If upgrading is not immediately possible, implement temporary workarounds like input validation and WAF rules.
Currently, there is no public evidence of CVE-2026-40887 being actively exploited in the wild, but the high CVSS score suggests it is a high-priority vulnerability to address.
Refer to the official Vendure security advisory for CVE-2026-40887 on the Vendure blog or GitHub repository. Check their security announcements page for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.