CVE-2011-10026
Published: 20 August 2025
Summary
CVE-2011-10026 is a critical-severity OS Command Injection (CWE-78) vulnerability in Spreecommerce Spree. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input sanitization in the API's search functionality by enforcing validation mechanisms to block command injection via the search[instance_eval] parameter.
Ensures timely remediation of the known flaw in Spreecommerce versions prior to 0.50.x through patching or upgrading, as recommended in advisories.
Boundary protection at external interfaces can inspect and filter malicious API requests attempting OS command injection before they reach the vulnerable search endpoint.
NVD Description
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw…
more
enables unauthenticated attackers to execute commands on the server.
Deeper analysisAI
CVE-2011-10026 is a remote command execution vulnerability in Spreecommerce versions prior to 0.50.x. The flaw exists in the API's search functionality due to improper input sanitization, enabling attackers to inject arbitrary shell commands via the search[instance_eval] parameter. This parameter is dynamically invoked using Ruby's send method, allowing execution of commands on the server. The vulnerability is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network without requiring privileges, user interaction, or special conditions. By crafting malicious requests to the search endpoint, they can achieve arbitrary command execution on the server, potentially leading to full system compromise, data exfiltration, or further lateral movement.
Advisories and references recommend upgrading to Spreecommerce 0.50.x or later to mitigate the issue, as detailed in the archived Spree blog post on security fixes from 2011. Additional resources include the Spree GitHub repository, a Metasploit Framework exploit module for spree_searchlogic_exec, Exploit-DB entry 17199, and a VulnCheck advisory on the Spreecommerce API RCE.
Public exploit code, including the Metasploit module and Exploit-DB PoC, has been available since around 2011, suggesting real-world exploitation potential for unpatched instances despite the CVE's 2025 publication date.
Details
- CWE(s)