Home

CVE-2026-25757

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.031

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront 5.0.8Windows
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront 5.1.10Windows
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront 5.2.7Windows
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront 5.3.2Windows
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront for Linux 5.0.8Linux
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront for Linux 5.1.10Linux
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront for Linux 5.2.7Linux
Vulnerabilities CVE-2026-25757 are fixed in Ruby-spree_storefront for Linux 5.3.2Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234