QwikSec

Security Database

CVE

CWE

Training

CVE-2011-10026

Published: Aug 20, 2025

Modified: May 15, 2026

PUBLISHED

Description

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.

Vendor	Product	Versions
Spreecommerce	Spreecommerce	affected `0 - < 0.50.*`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_searchlogic_exec.rb

exploit

https://www.exploit-db.com/exploits/17199

exploit

https://web.archive.org/web/20111120023342/http://spreecommerce.com/blog/2011/04/19/security-fixes

vendor-advisory

patch

https://github.com/spree

product

https://www.vulncheck.com/advisories/spreecommerce-api-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2011-10026 - Security Vulnerability | QwikSec