CVE-2026-25758

Summary

Unauthenticated Spree Commerce users can access all guest addresses

Severity

high

EPSS

0.6% (p44)

Also known as

GHSA-87fh-rc96-6fr6

Published

2026-02-05

References

• https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
• https://nvd.nist.gov/vuln/detail/CVE-2026-25758
• https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734

Related advisories

• CVE-2020-26223 — high · RubyGems/spree_api
• CVE-2026-22588 — medium · RubyGems/spree_api

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity