Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/174176?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/174176?format=api", "purl": "pkg:gem/rack@2.2.21", "type": "gem", "namespace": "", "name": "rack", "version": "2.2.21", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.2.23", "latest_non_vulnerable_version": "3.2.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50172?format=api", "vulnerability_id": "VCID-bj83-rx84-v3g9", "summary": "Rack has a Directory Traversal via Rack:Directory\n`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479", "reference_id": "1128479", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737", "reference_id": "2440737", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860", "reference_id": "CVE-2026-22860", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml", "reference_id": "CVE-2026-22860.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml" }, { "reference_url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "GHSA-mxw3-3hh2-x2mh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "GHSA-mxw3-3hh2-x2mh", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74064?format=api", "purl": "pkg:gem/rack@2.2.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/74065?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/74066?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-22860", "GHSA-mxw3-3hh2-x2mh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bj83-rx84-v3g9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50157?format=api", "vulnerability_id": "VCID-x373-rhh4-7khm", "summary": "Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href\n`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.\n\nThis results in a client-side XSS condition in directory listings generated by `Rack::Directory`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480", "reference_id": "1128480", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738", "reference_id": "2440738", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500", "reference_id": "CVE-2026-25500", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml", "reference_id": "CVE-2026-25500.YML", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml" }, { "reference_url": "https://github.com/advisories/GHSA-whrj-4476-wvmp", "reference_id": "GHSA-whrj-4476-wvmp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp", "reference_id": "GHSA-whrj-4476-wvmp", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74064?format=api", "purl": "pkg:gem/rack@2.2.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/74065?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/74066?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-25500", "GHSA-whrj-4476-wvmp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x373-rhh4-7khm" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.21" }