Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: typstPackages.spreet_0_1_0

Found 2 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-25757
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Affected products

spree
  • ==< 5.0.8
  • ==>= 5.1.0, < 5.1.10
  • ==>= 5.2.0, < 5.2.7
  • ==>= 5.3.0, < 5.3.2

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-25758
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
Spree allows unauthenticated users can access all guest addresses

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.

Affected products

spree
  • ==>= 5.0.0, < 5.0.8
  • ==< 4.10.3
  • ==>= 5.2.0.rc1, < 5.2.7
  • ==>= 5.3.0.rc2, < 5.3.2
  • ==>= 5.1.0.beta, < 5.1.10

Matching in nixpkgs

Package maintainers