CVE-2011-10026 CRITICAL

CVE-2011-10026: Spreecommerce < 0.50.x API RCE

Vendor Spreecommerce
Product Spreecommerce
Weakness CWE-78
Published August 20, 2025
Last update May 15, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.

Key dates

02Disclosure timeline

August 20, 2025 CVE published
May 15, 2026 Record updated