CVE-2026-40887

Name of the Vulnerable Software and Affected Versions @vendure/core versions prior to 2.3.4 @vendure/core versions 3.0.0 through 3.5.6 @vendure/core versions 3.6.0 through 3.6.1

Description An unauthenticated SQL injection exists in the Shop API and an authenticated SQL injection exists in the Admin API. The issue occurs because a user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing the execution of arbitrary SQL against PostgreSQL, MySQL/MariaDB, and SQLite databases. Specifically, in the findOneBySlug() function of ProductService, the languageCode variable from the request context is embedded into a SQL CASE expression via a template literal. Since the languageCode value can originate from the HTTP query string and lacks runtime validation, an attacker can inject malicious SQL by appending a crafted languageCode parameter to Shop API requests.

Recommendations Update @vendure/core to version 2.3.4. Update @vendure/core to version 3.5.7. Update @vendure/core to version 3.6.2. As a temporary workaround, apply a hotfix to the getLanguageCode() function in packages/core/src/service/helpers/request-context/request-context.service.ts to validate that the languageCode input matches the regular expression ^[a-zA-Z0-9 -]+$ before it is processed.