ByteOS Network

Spreecommerce

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2011-10026

Assigner-VulnCheck

View Details

Assigner-VulnCheck

CVSS Score-9.3||CRITICAL

EPSS-0.61% / 68.68%

7 Day CHG~0.00%

Published-20 Aug, 2025 | 15:41

Updated-22 Aug, 2025 | 18:09

Spreecommerce < 0.50.x API RCE

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.

Vendor-Spreecommerce

Product-Spreecommerce

CWE ID-CWE-94

Improper Control of Generation of Code ('Code Injection')

CVE-2011-10019

Assigner-VulnCheck

View Details

Assigner-VulnCheck

CVSS Score-10||CRITICAL

EPSS-0.87% / 74.20%

7 Day CHG~0.00%

Published-13 Aug, 2025 | 20:53

Updated-18 Aug, 2025 | 21:15

Spreecommerce < 0.60.2 Search Parameter RCE

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.

Vendor-Spreecommerce

Product-Spreecommerce

CWE ID-CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE ID-CWE-94

Improper Control of Generation of Code ('Code Injection')