An unauthenticated SQL injection vulnerability in the Vendure Shop API permits remote attackers to execute arbitrary database queries, leading to potential unauthorized data access or modification.

Input validation failure in the Shop API allows unauthenticated users to inject malicious SQL into query string parameters, which are processed without sufficient sanitization.

This vulnerability carries a CVSS score of 9.1, indicating a critical risk to business operations. Exploitation could result in the exfiltration of sensitive customer data, unauthorized administrative access, or complete database corruption, causing significant reputational and operational harm.

Immediate Action: Upgrade to versions 2.3.4, 3.5.7, or 3.6.2 depending on your current deployment branch.

Proactive Monitoring: Review database query logs for syntax errors, unexpected union selects, or signs of reconnaissance activity targeting the Vendure Shop API.

Compensating Controls: Apply the provided vendor hotfix to the RequestContextService to validate languageCode inputs, or implement a WAF rule to block suspicious SQL injection patterns in query strings.

Public Exploit Available: No

Given the ease of exploitation and the potential for total database compromise, organizations must apply the provided patches or hotfixes immediately. Ensure all database backends (PostgreSQL, MySQL, SQLite) are protected by the updated validation logic.