GHSA-9pp3-53p2-ww9v: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in @vendure/core

April 14, 2026

An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite).

The Admin API is also affected, though exploitation there requires authentication.

References

github.com/advisories/GHSA-9pp3-53p2-ww9v
github.com/vendurehq/vendure
github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v

Code Behaviors & Features

Detect and mitigate GHSA-9pp3-53p2-ww9v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →