CVE-2026-25757: Unauthenticated Spree Commerce users can view completed guest orders by Order ID

(updated )

This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers).

References

Code Behaviors & Features

Detect and mitigate CVE-2026-25757 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →