CVE-2026-25757

MEDIUM

Spree < 5.0.8 - Unauthenticated Order Information Disclosure via Order ID

Title source: llm
STIX 2.1

Description

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

References (8)

Core 8
Core References

Scores

CVSS v3 5.3
EPSS 0.0044
EPSS Percentile 35.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (2)
rubygems/spree_storefront 0 - 5.0.8RubyGems
spreecommerce/spree < 5.0.8
Published Feb 06, 2026
Tracked Since Feb 18, 2026