CVE-2026-40887: @vendure/core has a SQL Injection vulnerability

April 14, 2026 (updated April 15, 2026)

An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite).

The Admin API is also affected, though exploitation there requires authentication.

References

github.com/advisories/GHSA-9pp3-53p2-ww9v
github.com/vendurehq/vendure
github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v
nvd.nist.gov/vuln/detail/CVE-2026-40887

Code Behaviors & Features

Detect and mitigate CVE-2026-40887 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →