Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.
Security readout for executives and security teams
Plain-English summary
Older Spreecommerce installations before 0.50.x can allow unauthenticated remote command execution through API search handling. A vulnerable public store could let an attacker run server-side commands, risking full compromise of application data, availability, and hosted environment integrity.
Executive priority
Treat this as urgent for any legacy Spreecommerce estate. The risk is unauthenticated server compromise, and public exploit material exists, even though the provided sources do not prove active exploitation.
Technical view
The issue is CWE-78 command injection in Spreecommerce API search functionality. Input to search[instance_eval] is insufficiently sanitized and dynamically invoked through Ruby send, enabling unauthenticated network attackers to execute commands. The supplied CVSS v4 score is 9.3 critical.
Likely exposure
Exposure is most likely in legacy Spreecommerce deployments below 0.50.x, especially if API search functionality is reachable from the internet. Current or non-Spreecommerce systems are not shown as affected by the bundle.
Exploitation context
Public exploit references exist, including Metasploit and Exploit-DB entries. The bundle marks CISA KEV as false and provides no evidence of active exploitation, so active exploitation should not be assumed.
Researcher notes
Focus on version confirmation, reachable API surface, and historical evidence of suspicious search parameter use. Avoid assuming all Spreecommerce versions are affected; the provided scope is versions prior to 0.50.x.
Mitigation direction
Upgrade affected Spreecommerce deployments to 0.50.x or later per vendor guidance.
Review the archived vendor security advisory before changing legacy production systems.
Restrict public access to vulnerable API functionality until remediation is complete.
Retire unsupported legacy Spreecommerce instances where upgrade is not practical.
Validation and detection
Inventory Spreecommerce versions across production, staging, and archived environments.
Confirm whether API search functionality is internet reachable on legacy systems.
Review application and web logs for suspicious API search parameters.
Verify remediation by confirming the deployed version is 0.50.x or later.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-78: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-78 · source CWE mapping
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.