Remote Command Execution Flaw in Spreecommerce API
CVE-2011-10026

9.3CRITICAL

Key Information:

Vendor

Spreecommerce

Status
Spreecommerce
Vendor
CVE Published:
20 August 2025

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 65%

What is CVE-2011-10026?

Spreecommerce versions prior to 0.50.x are susceptible to a remote command execution vulnerability due to insufficient input validation in the API's search functionality. This weakness allows unauthenticated attackers to inject arbitrary shell commands by manipulating the search[instance_eval] parameter. The commands are executed on the server using Ruby’s dynamic method invocation, which can lead to unauthorized access and control of the affected system.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Spreecommerce * < 0.50.x

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2011-10026 - Proof of Concept

CVE-2011-10026 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://www.exploit-db.com/exploits/17199
exploit
https://web.archive.org/web/20111120023342/http://spreeco...
vendor-advisorypatch

EPSS Score

65% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joernchen (Phenoelit)
JSON
.