Tag
An unauthenticated SQL injection vulnerability (CVE-2026-40887) exists in the Vendure Shop API affecting PostgreSQL, MySQL/MariaDB, and SQLite databases, where a user-controlled query string parameter is directly interpolated into a raw SQL expression, potentially leading to arbitrary code execution.