All 6 CVE vulnerabilities found in spree, with AI-generated Chinese analysis, references, and POCs.
Vendor: spree
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-25757 | Unauthenticated Spree Commerce users can view completed guest orders by Order ID CWE-639 | 5.3AI | MediumAI | 2026-02-06 |
| CVE-2026-25758 | Spree allows unauthenticated users can access all guest addresses CWE-639 | 6.5AI | MediumAI | 2026-02-06 |
| CVE-2026-22589 | Spree API has Unauthenticated IDOR - Guest Address CWE-639 | 7.5 | High | 2026-01-10 |
| CVE-2026-22588 | Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification CWE-639 | 6.5 | Medium | 2026-01-08 |
| CVE-2020-26223 | Authorization bypass in Spree CWE-863 | 7.7 | High | 2020-11-13 |
| CVE-2020-15269 | Expired token reuse in Spree CWE-287 | 7.4 | High | 2020-10-20 |
All 6 known CVE vulnerabilities affecting spree with full Chinese analysis, references, and POCs where available.