Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/node-red@0.14.1
Typenpm
Namespace
Namenode-red
Version0.14.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.2.8
Latest_non_vulnerable_version1.2.8
Affected_by_vulnerabilities
0
url VCID-1y32-5wc9-4uhv
vulnerability_id VCID-1y32-5wc9-4uhv
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in node-red.
references
0
reference_url https://hackerone.com/reports/349146
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/349146
1
reference_url https://www.npmjs.com/advisories/993
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/993
2
reference_url https://github.com/advisories/GHSA-5g6j-8hv4-vfgj
reference_id GHSA-5g6j-8hv4-vfgj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5g6j-8hv4-vfgj
fixed_packages
0
url pkg:npm/node-red@0.18.6
purl pkg:npm/node-red@0.18.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh2h-q3t6-ebeb
1
vulnerability VCID-h7v4-5z1t-aqbk
2
vulnerability VCID-m5kp-t88v-fufu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/node-red@0.18.6
aliases GHSA-5g6j-8hv4-vfgj, GMS-2020-752
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1y32-5wc9-4uhv
1
url VCID-gh2h-q3t6-ebeb
vulnerability_id VCID-gh2h-q3t6-ebeb
summary 
Cross-site Scripting
A stored XSS vulnerability is present within the node-red npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-15607
reference_id
reference_type
scores
0
value 0.00197
scoring_system epss
scoring_elements 0.41433
published_at 2026-06-04T12:55:00Z
1
value 0.00197
scoring_system epss
scoring_elements 0.41508
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-15607
1
reference_url https://hackerone.com/reports/681986
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/681986
2
reference_url https://www.npmjs.com/advisories/1456
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1456
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-15607
reference_id CVE-2019-15607
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-15607
4
reference_url https://github.com/advisories/GHSA-8w65-xjc5-9w79
reference_id GHSA-8w65-xjc5-9w79
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8w65-xjc5-9w79
fixed_packages
0
url pkg:npm/node-red@0.20.8
purl pkg:npm/node-red@0.20.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-h7v4-5z1t-aqbk
1
vulnerability VCID-m5kp-t88v-fufu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/node-red@0.20.8
aliases CVE-2019-15607, GHSA-8w65-xjc5-9w79
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gh2h-q3t6-ebeb
2
url VCID-h7v4-5z1t-aqbk
vulnerability_id VCID-h7v4-5z1t-aqbk
summary 
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21297
reference_id
reference_type
scores
0
value 0.0023
scoring_system epss
scoring_elements 0.4596
published_at 2026-06-05T12:55:00Z
1
value 0.0023
scoring_system epss
scoring_elements 0.45892
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21297
1
reference_url https://github.com/node-red/node-red
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/node-red/node-red
2
reference_url https://github.com/node-red/node-red/releases/tag/1.2.8
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/node-red/node-red/releases/tag/1.2.8
3
reference_url https://www.npmjs.com/package/@node-red/editor-api
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/@node-red/editor-api
4
reference_url https://www.npmjs.com/package/@node-red/runtime
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/@node-red/runtime
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21297
reference_id CVE-2021-21297
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21297
6
reference_url https://github.com/advisories/GHSA-xp9c-82x8-7f67
reference_id GHSA-xp9c-82x8-7f67
reference_type
scores
url https://github.com/advisories/GHSA-xp9c-82x8-7f67
7
reference_url https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
reference_id GHSA-xp9c-82x8-7f67
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
fixed_packages
0
url pkg:npm/node-red@1.2.8
purl pkg:npm/node-red@1.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/node-red@1.2.8
aliases CVE-2021-21297, GHSA-xp9c-82x8-7f67
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h7v4-5z1t-aqbk
3
url VCID-m5kp-t88v-fufu
vulnerability_id VCID-m5kp-t88v-fufu
summary 
Path Traversal
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21298
reference_id
reference_type
scores
0
value 0.00365
scoring_system epss
scoring_elements 0.5882
published_at 2026-06-04T12:55:00Z
1
value 0.00365
scoring_system epss
scoring_elements 0.58866
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21298
1
reference_url https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/node-red/node-red/commit/74db3e17d075f23d9c95d7871586cf461524c456
2
reference_url https://github.com/node-red/node-red/releases/tag/1.2.8
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/node-red/node-red/releases/tag/1.2.8
3
reference_url https://www.npmjs.com/package/@node-red/runtime
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/@node-red/runtime
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21298
reference_id CVE-2021-21298
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21298
5
reference_url https://github.com/advisories/GHSA-m33v-338h-4v9f
reference_id GHSA-m33v-338h-4v9f
reference_type
scores
url https://github.com/advisories/GHSA-m33v-338h-4v9f
6
reference_url https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f
reference_id GHSA-m33v-338h-4v9f
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/node-red/node-red/security/advisories/GHSA-m33v-338h-4v9f
fixed_packages
0
url pkg:npm/node-red@1.2.8
purl pkg:npm/node-red@1.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/node-red@1.2.8
aliases CVE-2021-21298, GHSA-m33v-338h-4v9f
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m5kp-t88v-fufu
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/node-red@0.14.1