# CVE-2026-40887

> Vulnerability · severity: **CRITICAL** (CVSS 9.1).

## Description

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

## Key facts

- **CVE ID:** CVE-2026-40887
- **Published:** 2026-04-21
- **CVSS severity:** CRITICAL
- **CVSS base score:** 9.1
- **CWE codes:** CWE-89

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40887

## Citation

> AI Analytics. CVE-2026-40887. Retrieved 2026-05-16 from https://api.ai-analytics.org/cve/CVE-2026-40887. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*