Every CVE whose affected-product data names Spreecommerce Spree, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (12)
CVE-2011-10019 — CVSS 9.8 (critical): Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails…
CVE-2011-10026 — CVSS 9.8 (critical): Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input…
CVE-2020-26223 — CVSS 7.7 (high): Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5…
CVE-2026-22589 — CVSS 7.5 (high): Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated…
CVE-2026-25758 — CVSS 7.5 (high): Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest…
CVE-2026-22588 — CVSS 6.5 (medium): Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated…
CVE-2026-25757 — CVSS 5.3 (medium): Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated…
CVE-2008-7310 — CVSS 5.0 (medium): Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set…
CVE-2008-7311 — CVSS 5.0 (medium): The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which…
CVE-2010-3978 — CVSS 5.0 (medium): Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data using JavaScript Object Notation (JSON) without a mechanism for…
CVE-2013-1656 — CVSS 4.3 (medium): Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary…
CVE-2013-2506 — CVSS 4.0 (medium): app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when…