CVE-2026-25050
- EPSS 0.03%
- Veröffentlicht 30.01.2026 15:11:40
- Zuletzt bearbeitet 26.02.2026 21:59:27
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages...
CVE-2024-48914
- EPSS 91.92%
- Veröffentlicht 15.10.2024 16:15:06
- Zuletzt bearbeitet 16.10.2024 16:38:43
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents...
CVE-2022-23065
- EPSS 0.21%
- Veröffentlicht 02.05.2022 13:15:08
- Zuletzt bearbeitet 21.11.2024 06:47:54
In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrat...