プラットフォーム
nodejs
コンポーネント
@vendure/core
修正版
3.0.1
3.6.1
1.7.5
3.5.7
CVE-2026-40887 describes an unauthenticated SQL injection vulnerability discovered in the Vendure Shop API. This flaw allows attackers to inject malicious SQL queries directly into the database, potentially leading to unauthorized data access, modification, or deletion. The vulnerability impacts versions 3.0.0 through 3.5.7, and 3.6.0 through 3.6.1 of the @vendure/core component. A fix is available in version 2.3.4.
The impact of this SQL injection vulnerability is severe. An unauthenticated attacker can exploit it to bypass authentication and directly query the database. This allows them to extract sensitive information such as customer data (names, addresses, payment details), product information, order history, and administrative credentials. Successful exploitation could lead to complete data compromise and potentially allow the attacker to take control of the entire Vendure Shop instance. The ability to execute arbitrary SQL also opens the door to data manipulation, including modifying product prices, creating fraudulent orders, or deleting critical data. This vulnerability shares similarities with other SQL injection attacks where database access is gained through manipulating user input.
CVE-2026-40887 was published on 2026-04-14. There is currently no indication of this vulnerability being actively exploited in the wild. The CVSS score of 9.1 (CRITICAL) reflects the high potential impact and ease of exploitation. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and severity. Monitor security advisories and threat intelligence feeds for any signs of exploitation.
エクスプロイト状況
EPSS
5.38% (90% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-40887 is to immediately upgrade to version 2.3.4 or later of the @vendure/core component. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include strict input validation on all user-supplied query string parameters within the API, using parameterized queries or prepared statements to prevent SQL injection, and implementing a Web Application Firewall (WAF) with rules to detect and block malicious SQL injection attempts. Regularly review and update database access controls to minimize the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.
@vendure/core パッケージをバージョン 2.3.4 以上、3.5.7 以上、または 3.6.2 以上にアップデートしてください。直ちにアップデートできない場合は、Vendure が提供するホットフィックスを適用し、`packages/core/src/service/helpers/request-context/request-context.service.ts` 内の `getLanguageCode` メソッドを置き換えて `languageCode` 入力を検証してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-40887 is a critical SQL injection vulnerability in the Vendure Shop API, allowing attackers to execute arbitrary SQL queries. It affects versions 3.0.0–3.5.7 and 3.6.0–3.6.1 of the @vendure/core component, potentially leading to data breaches and system compromise.
If you are running Vendure Shop API with @vendure/core versions 3.0.0–3.5.7 or 3.6.0–3.6.1, you are affected by this vulnerability. Check your package.json file to confirm your version.
The recommended fix is to upgrade to version 2.3.4 or later of the @vendure/core component. If upgrading is not immediately possible, implement temporary workarounds like input validation and WAF rules.
Currently, there is no public evidence of CVE-2026-40887 being actively exploited in the wild, but the high CVSS score suggests it is a high-priority vulnerability to address.
Refer to the official Vendure security advisory for CVE-2026-40887 on the Vendure blog or GitHub repository. Check their security announcements page for the latest information and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。