CVE-2026-25757

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25757
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25757.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-25757
Aliases
Published
2026-02-06T22:37:07.542Z
Modified
2026-02-07T02:53:27.559006Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Unauthenticated Spree Commerce users can view completed guest orders by Order ID
Details

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25757.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type
GIT
Repo
https://github.com/spree/spree
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7af62b211e1750d272887b258b27c736586abe5e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.0.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/spree/spree
Events
Introduced
a8d7ad128ce7adabaea7e254803ac836fe88e154
Fixed
df01ae37e70d261babc8675e4882e2ee61067f6b
Database specific 
{
    "versions": [
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.1.10"
        }
    ]
}
Type
GIT
Repo
https://github.com/spree/spree
Events
Introduced
a100d2b1c9b264d1796b2433db002d12dddc32cc
Fixed
9b993497af028b28f5f08e11fcc65676702f4b98
Database specific 
{
    "versions": [
        {
            "introduced": "5.2.0"
        },
        {
            "fixed": "5.2.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/spree/spree
Events
Introduced
598f2be5f586d4b802874ec71bfd8ffe46851a4b
Fixed
506a52f48f767b75bc2e5465f99b2c138074520b
Database specific 
{
    "versions": [
        {
            "introduced": "5.3.0"
        },
        {
            "fixed": "5.3.2"
        }
    ]
}

Affected versions

v0.*
v0.11.0
v0.11.99
v0.2.0
v0.30.0.beta1
v0.4.0
v0.40.0
v0.5.0
v0.7.0
v0.70.0.rc2
v0.8.0
v0.8.1
v0.8.2
v1.*
v1.0.0.rc1
v1.0.0.rc2
v1.0.0.rc3
v1.2.0.rc1
v2.*
v2.4.0.rc1
v2.4.0.rc2
v2.4.0.rc3
v3.*
v3.0.0.rc1
v3.1.0.rc1
v3.2.0.rc1
v3.2.2
v3.3.0
v3.3.0.rc1
v3.3.0.rc2
v3.3.0.rc3
v3.3.0.rc4
v3.4.0
v3.4.0.rc1
v3.4.0.rc2
v3.5.0.rc1
v3.6.0.rc1
v3.7.0.beta
v3.7.0.rc1
v4.*
v4.0.0.beta
v4.1.0
v4.1.0.rc1
v4.1.0.rc2
v4.1.0.rc3
v4.10.0
v4.10.1
v4.2.0
v4.2.0.beta
v4.2.0.rc1
v4.2.0.rc2
v4.2.0.rc3
v4.2.0.rc4
v4.2.0.rc5
v4.3.0
v4.3.0.rc1
v4.3.0.rc2
v4.3.0.rc3
v4.4.0.rc1
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.8.1
v4.8.2
v4.8.3
v4.9.0
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.1.9
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.3.0
v5.3.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25757.json"