vendure CVE Vulnerabilities & Metrics

Focus on vendure vulnerabilities and metrics.

Last updated: 08 Mar 2026, 23:25 UTC

About vendure Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with vendure. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total vendure CVEs: 2
Earliest CVE date: 02 May 2022, 13:15 UTC
Latest CVE date: 30 Jan 2026, 16:16 UTC

Latest CVE reference: CVE-2026-25050

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical vendure CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.75

Max CVSS: 3.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS vendure CVEs

These are the five CVEs with the highest CVSS scores for vendure, sorted by severity first and recency.

CVE-2022-23065 vendure Published on 02 May 2022, 13:15 UTC (CVSS: 3.5)
In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.
CVE-2026-25050 vendure Published on 30 Jan 2026, 16:16 UTC (CVSS: 0)
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timin...

All CVEs for vendure

CVE-2026-25050 vendure vulnerability CVSS: 0 30 Jan 2026, 16:16 UTC

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.

CVE-2022-23065 vendure vulnerability CVSS: 3.5 02 May 2022, 13:15 UTC

In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.