Cyber Resilience

CVE-2011-10019

CriticalPublic PoCRCE

Published: 13 August 2025

Published
13 August 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7964 99.1th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2011-10019 is a critical-severity Code Injection (CWE-94) vulnerability in Spreecommerce Spree. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2011-10019 is a remote command execution vulnerability in Spreecommerce versions prior to 0.60.2. The flaw exists in the search functionality, where the application fails to properly sanitize user input passed via the search[send][] parameter. This input is dynamically invoked using Ruby’s send method, allowing arbitrary shell commands to be executed on the server.

The vulnerability can be exploited remotely by unauthenticated attackers with network access. By submitting crafted input to the search[send][] parameter, attackers achieve arbitrary command execution on the server, granting high confidentiality, integrity, and availability impacts as scored by CVSS v3.1 at 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Associated CWEs include CWE-94 (code injection) and CWE-1321 (improperly controlled modification of dynamically-determined object attributes).

Mitigation requires upgrading to Spreecommerce 0.60.2 or later. Relevant advisories include an archived 2011 Spreecommerce blog post detailing the remote command execution in product group search, a Vulncheck advisory on the search parameter RCE, and public exploit resources such as a Metasploit module and an Exploit-DB entry.

Exploitation is well-documented in public repositories, with a dedicated Metasploit module and Exploit-DB listing confirming proof-of-concept availability since at least 2011.

EU & UK References

Vulnerability details

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute…

more

arbitrary shell commands on the server without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct RCE on public-facing web app via unsanitized input to Ruby send(), enabling remote unauthenticated shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25758Same product: Spreecommerce Spree
CVE-2011-10026Same product: Spreecommerce Spree
CVE-2026-22589Same product: Spreecommerce Spree
CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94
CVE-2026-20045Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-23921Shared CWE-94
CVE-2024-53944Shared CWE-94
CVE-2024-44722Shared CWE-94

Affected Assets

spreecommerce
spree
≤ 0.60.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to sanitize the search[send][] parameter by requiring validation of all user inputs to prevent code injection and arbitrary command execution.

prevent

Mandates timely identification, reporting, and correction of the flaw through upgrading to Spreecommerce 0.60.2 or later, eliminating the vulnerability.

prevent

Complements input sanitization by restricting the types and volume of inputs to the search functionality, reducing the risk of exploitable malformed parameters.

References