RCE in Spreecommerce
CVE-2011-10019
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked us…
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.693 (98.7th percentile) — read the EPSS interpretation.
Affected products
- Spreecommerce — versions 0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/m… (exploit)
- www.exploit-db.com/exploits/17941 (exploit)
- web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/rem… (vendor-advisory, patch)
- www.vulncheck.com/advisories/spreecommerce-search-parameter-rce (third-party-advisory)
- github.com/orgs/spree (product)
Frequently asked questions
- What is CVE-2011-10019?
- CVE-2011-10019 is a vulnerability in Spreecommerce, classified under Code Injection. Published 2025-08-13.
- Is CVE-2011-10019 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.