@vendure/core

A modern, headless ecommerce framework
Licenses: GPL-3.0 | MIT

License

GPL-3.0>=3.0.0-next.0;
MIT>=0.1.0-alpha.1 <3.0.0-next.0;

Direct Vulnerabilities

Known vulnerabilities in the @vendure/core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free
VulnerabilityVulnerable Version
  • H
SQL Injection

>=1.7.4 <2.3.4>=3.0.0-next.0 <3.5.7>=3.6.0 <3.6.2
  • M
Information Exposure

<3.5.3
  • M
Improper Input Validation

<2.1.3
  • M
Cross-site Request Forgery (CSRF)

<2.0.3
  • M
Cross-site Scripting (XSS)

<1.5.2

Package versions

638 VERSIONS IN TOTAL See all versions
versionpublisheddirect vulnerabilities
3.8.0-minor-20260711031311 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.8.0-minor-2026070803148 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.8.0-minor-2026070712277 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.8.0-minor-2026070703087 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.8.0-minor-2026070603086 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.8.0-minor-2026070403074 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.8.0-minor-2026070203072 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.7.1-master-20260711030511 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.7.1-master-2026070803068 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L
3.7.1-master-2026070703087 Jul, 2026
  • 0
    C
  • 0
    H
  • 0
    M
  • 0
    L