CVE-2026-40887
Published: 21 April 2026
Summary
CVE-2026-40887 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Vendure is an open-source headless commerce platform that contains an unauthenticated SQL injection vulnerability in its Shop API. The flaw, present from version 1.7.4 through versions prior to 2.3.4, 3.5.7, and 3.6.2, arises when a user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation. It affects all supported database backends including PostgreSQL, MySQL/MariaDB, and SQLite; the Admin API is also impacted, though exploitation there requires prior authentication. The issue is tracked as CWE-89 with a CVSS score of 9.1.
An attacker can supply a malicious languageCode or similar parameter in requests to the Shop API and thereby execute arbitrary SQL against the underlying database, potentially extracting sensitive data or causing denial of service. Because the vector is unauthenticated and network-reachable, exploitation requires no credentials or user interaction.
The referenced GitHub Security Advisory states that patched releases convert the vulnerable interpolation to a parameterized query. For environments that cannot upgrade immediately, Vendure provides a hotfix that replaces the getLanguageCode method in RequestContextService to validate the languageCode input at the request boundary, silently dropping invalid values and falling back to the channel default. The EPSS score has remained flat at 0.0770 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24274
Vulnerability details
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a…
more
raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing Shop API enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary SQL execution for data extraction from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs such as the languageCode parameter before it reaches any raw SQL expression, matching the hotfix behavior.
Mandates timely application of the vendor patches that replace unsafe string interpolation with parameterized queries in the Shop and Admin APIs.
Enforces that only explicitly authorized operations may be performed against the database, blocking the arbitrary SQL execution path introduced by the injection flaw.