Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-25757

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

References

https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 x_refsource_CONFIRM
https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab x_refsource_MISC
https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be x_refsource_MISC
https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d x_refsource_MISC
https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad x_refsource_MISC
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 x_refsource_MISC
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 x_refsource_MISC
https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 x_refsource_MISC

Affected products

spree

==< 5.0.8
==>= 5.1.0, < 5.1.10
==>= 5.2.0, < 5.2.7
==>= 5.3.0, < 5.3.2

Matching in nixpkgs

pkgs.nextcloud-spreed-signaling

Dedicated signaling backend for nextcloud talk

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.4
- nixos-unstable-small 2.0.4
nixos-25.11 2.0.4
- nixpkgs-25.11-darwin 2.0.4

pkgs.typstPackages.spreet_0_1_0

Parse a spreadsheet

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixpkgs-25.11-darwin 0.1.0

Package maintainers

@hensoko hensoko <hensoko@pub.solar>
@cherrypiejam Gongqi Huang