Cyber Resilience

CVE-2026-40887

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0176 75.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40887 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Vendure is an open-source headless commerce platform that contains an unauthenticated SQL injection vulnerability in its Shop API. The flaw, present from version 1.7.4 through versions prior to 2.3.4, 3.5.7, and 3.6.2, arises when a user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation. It affects all supported database backends including PostgreSQL, MySQL/MariaDB, and SQLite; the Admin API is also impacted, though exploitation there requires prior authentication. The issue is tracked as CWE-89 with a CVSS score of 9.1.

An attacker can supply a malicious languageCode or similar parameter in requests to the Shop API and thereby execute arbitrary SQL against the underlying database, potentially extracting sensitive data or causing denial of service. Because the vector is unauthenticated and network-reachable, exploitation requires no credentials or user interaction.

The referenced GitHub Security Advisory states that patched releases convert the vulnerable interpolation to a parameterized query. For environments that cannot upgrade immediately, Vendure provides a hotfix that replaces the getLanguageCode method in RequestContextService to validate the languageCode input at the request boundary, silently dropping invalid values and falling back to the channel default. The EPSS score has remained flat at 0.0770 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a…

more

raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Unauthenticated SQL injection in public-facing Shop API enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary SQL execution for data extraction from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89
CVE-2019-25573Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs such as the languageCode parameter before it reaches any raw SQL expression, matching the hotfix behavior.

prevent

Mandates timely application of the vendor patches that replace unsafe string interpolation with parameterized queries in the Shop and Admin APIs.

prevent

Enforces that only explicitly authorized operations may be performed against the database, blocking the arbitrary SQL execution path introduced by the injection flaw.

References