Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/201092?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/201092?format=api", "purl": "pkg:composer/yiisoft/yii2-gii@2.0.0-alpha", "type": "composer", "namespace": "yiisoft", "name": "yii2-gii", "version": "2.0.0-alpha", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44256?format=api", "vulnerability_id": "VCID-1yn3-2dn2-t7ec", "summary": "Command injection in yiisoft/yii2-gii\nYii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36655", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04201", "scoring_system": "epss", "scoring_elements": "0.88941", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.04201", "scoring_system": "epss", "scoring_elements": "0.88924", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36655" }, { "reference_url": "https://github.com/yiisoft/yii2-gii", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yiisoft/yii2-gii" }, { "reference_url": "https://github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4b" }, { "reference_url": "https://github.com/yiisoft/yii2-gii/issues/433", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-02T13:47:08Z/" } ], "url": "https://github.com/yiisoft/yii2-gii/issues/433" }, { "reference_url": "https://lab.wallarm.com/yii2-gii-remote-code-execution", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lab.wallarm.com/yii2-gii-remote-code-execution" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36655", "reference_id": "CVE-2020-36655", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36655" }, { "reference_url": "https://github.com/advisories/GHSA-3mpg-q26j-83j5", "reference_id": "GHSA-3mpg-q26j-83j5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3mpg-q26j-83j5" }, { "reference_url": "https://lab.wallarm.com/yii2-gii-remote-code-execution/", "reference_id": "yii2-gii-remote-code-execution", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-02T13:47:08Z/" } ], "url": "https://lab.wallarm.com/yii2-gii-remote-code-execution/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63666?format=api", "purl": "pkg:composer/yiisoft/yii2-gii@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j49j-9han-aug5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.2.2" } ], "aliases": [ "CVE-2020-36655", "GHSA-3mpg-q26j-83j5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1yn3-2dn2-t7ec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37852?format=api", "vulnerability_id": "VCID-hhby-y7fg-tqax", "summary": "Cross-site Scripting\nCross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2015-3397", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56227", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56282", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2015-3397" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2015-3397.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2015-3397.yaml" }, { "reference_url": "https://github.com/yiisoft/yii2/blob/2.0.4/framework/CHANGELOG.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yiisoft/yii2/blob/2.0.4/framework/CHANGELOG.md" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3397", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3397" }, { "reference_url": "https://web.archive.org/web/20210122155403/http://www.securityfocus.com/bid/74663", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210122155403/http://www.securityfocus.com/bid/74663" }, { "reference_url": "https://www.yiiframework.com/news/86/yii-2-0-4-is-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.yiiframework.com/news/86/yii-2-0-4-is-released" }, { "reference_url": "https://www.yiiframework.com/news/86/yii-2-0-4-is-released/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.yiiframework.com/news/86/yii-2-0-4-is-released/" }, { "reference_url": "http://www.securityfocus.com/bid/74663", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/74663" }, { "reference_url": "http://www.yiiframework.com/news/86/yii-2-0-4-is-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.yiiframework.com/news/86/yii-2-0-4-is-released" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52272?format=api", "purl": "pkg:composer/yiisoft/yii2-gii@2.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1yn3-2dn2-t7ec" }, { "vulnerability": "VCID-j49j-9han-aug5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.4" } ], "aliases": [ "CVE-2015-3397", "GHSA-w2xx-jp9f-gp8g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhby-y7fg-tqax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109625?format=api", "vulnerability_id": "VCID-j49j-9han-aug5", "summary": "Yii2 Gii Cross-site Scripting vulnerability\nSome fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-34297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45557", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45488", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-34297" }, { "reference_url": "https://gist.github.com/be4r/b5c48d97ef6726d3ee37f995ee5aac81", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T20:24:57Z/" } ], "url": "https://gist.github.com/be4r/b5c48d97ef6726d3ee37f995ee5aac81" }, { "reference_url": "https://github.com/yiisoft/yii2-gii", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yiisoft/yii2-gii" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34297", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34297" }, { "reference_url": "https://www.yiiframework.com/doc/guide/2.0/en/start-gii", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.yiiframework.com/doc/guide/2.0/en/start-gii" }, { "reference_url": "https://github.com/advisories/GHSA-x87m-36g7-6mpw", "reference_id": "GHSA-x87m-36g7-6mpw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x87m-36g7-6mpw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/625928?format=api", "purl": "pkg:composer/yiisoft/yii2-gii@2.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.2.5" } ], "aliases": [ "CVE-2022-34297", "GHSA-x87m-36g7-6mpw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j49j-9han-aug5" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.0-alpha" }