What is CVE-2011-10026?

CVE-2011-10026 is a vulnerability in Spreecommerce, classified under OS Command Injection. Published 2025-08-20.

Is CVE-2011-10026 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Spreecommerce

CVE-2011-10026

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] paramete…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.686 (98.6th percentile) — read the EPSS interpretation.

Affected products

Spreecommerce — versions 0

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

rapid7/metasploit-framework

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/m… (exploit)
www.exploit-db.com/exploits/17199 (exploit)
web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/sec… (vendor-advisory, patch)
github.com/spree (product)
www.vulncheck.com/advisories/spreecommerce-api-rce (third-party-advisory)

Frequently asked questions

What is CVE-2011-10026?: CVE-2011-10026 is a vulnerability in Spreecommerce, classified under OS Command Injection. Published 2025-08-20.
Is CVE-2011-10026 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.