vendure — Vulnerabilities & Security Advisories 4

All 4 CVE vulnerabilities found in vendure, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-40887	@vendure/core has a SQL Injection vulnerability CWE-89	9.1	Critical	2026-04-21
CVE-2026-25050	Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy CWE-202	3.7^AI	Low^AI	2026-01-30
CVE-2024-48914	Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy CWE-22	9.1	Critical	2024-10-15
CVE-2022-23065	Vendure - XSS via SVG File Upload CWE-79	5.4	Medium	2022-05-02

All 4 known CVE vulnerabilities affecting vendure with full Chinese analysis, references, and POCs where available.