Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/silverstripe/graphql@3.1.5

Type composer

Namespace silverstripe

Name graphql

Version 3.1.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.8.2

Latest_non_vulnerable_version 5.1.3

Affected_by_vulnerabilities

url VCID-414d-7bfm-kud7

vulnerability_id VCID-414d-7bfm-kud7

summary

Incorrect Authorization
Default SilverStripe GraphQL Server (aka silverstripe/graphql) permission checker is not inherited by query subclass.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-28661

reference_id

reference_type

scores

value	0.00169
scoring_system	epss
scoring_elements	0.38154
published_at	2026-04-02T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38024
published_at	2026-04-21T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38087
published_at	2026-04-18T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38107
published_at	2026-04-16T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38062
published_at	2026-04-13T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38097
published_at	2026-04-08T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38047
published_at	2026-04-07T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38176
published_at	2026-04-04T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.37972
published_at	2026-04-01T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38086
published_at	2026-04-12T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38123
published_at	2026-04-11T12:55:00Z

value	0.00169
scoring_system	epss
scoring_elements	0.38105
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-28661

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2021-28661.yaml

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2021-28661.yaml

reference_url

https://github.com/silverstripe/silverstripe-graphql

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-graphql

reference_url

https://github.com/silverstripe/silverstripe-graphql/pull/407/commits/16961459f681f7b32145296189dfdbcc7715e6ed

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-graphql/pull/407/commits/16961459f681f7b32145296189dfdbcc7715e6ed

reference_url

https://github.com/silverstripe/silverstripe-graphql/releases

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-graphql/releases

reference_url

https://github.com/silverstripe/silverstripe-graphql/releases/tag/3.5.2

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-graphql/releases/tag/3.5.2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-28661

reference_id

CVE-2021-28661

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-28661

reference_url

https://www.silverstripe.org/download/security-releases/CVE-2021-28661

reference_id

CVE-2021-28661

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.silverstripe.org/download/security-releases/CVE-2021-28661

reference_url

https://github.com/advisories/GHSA-r7rh-g777-g5gx

reference_id

GHSA-r7rh-g777-g5gx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r7rh-g777-g5gx

fixed_packages

url pkg:composer/silverstripe/graphql@3.5.2

purl pkg:composer/silverstripe/graphql@3.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-zaty-jxqd-hyb4

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.5.2

aliases CVE-2021-28661, GHSA-r7rh-g777-g5gx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-414d-7bfm-kud7

url VCID-ajga-3b99-yugh

vulnerability_id VCID-ajga-3b99-yugh

summary

Authentication bypass in SilverStripe GraphQL
The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.

Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-26136

reference_id

reference_type

scores

value	0.00216
scoring_system	epss
scoring_elements	0.44156
published_at	2026-04-21T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44118
published_at	2026-04-01T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44182
published_at	2026-04-02T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44206
published_at	2026-04-04T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44137
published_at	2026-04-07T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44188
published_at	2026-04-08T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44193
published_at	2026-04-09T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44208
published_at	2026-04-11T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44176
published_at	2026-04-13T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44237
published_at	2026-04-16T12:55:00Z

value	0.00216
scoring_system	epss
scoring_elements	0.44227
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-26136

reference_url

https://forum.silverstripe.org/c/releases

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://forum.silverstripe.org/c/releases

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-26136

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-26136

reference_url

https://www.silverstripe.org/blog/tag/release

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.silverstripe.org/blog/tag/release

reference_url

https://www.silverstripe.org/download/security-releases

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.silverstripe.org/download/security-releases

reference_url	https://www.silverstripe.org/download/security-releases/
reference_id
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/

reference_url

https://www.silverstripe.org/download/security-releases/cve-2020-26136

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.silverstripe.org/download/security-releases/cve-2020-26136

reference_url

https://github.com/advisories/GHSA-mg2g-8pwj-r2j2

reference_id

GHSA-mg2g-8pwj-r2j2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mg2g-8pwj-r2j2

fixed_packages

url pkg:composer/silverstripe/graphql@3.5.0

purl pkg:composer/silverstripe/graphql@3.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-414d-7bfm-kud7

vulnerability	VCID-ajga-3b99-yugh

vulnerability	VCID-zaty-jxqd-hyb4

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.5.0

url pkg:composer/silverstripe/graphql@3.6.0-alpha1

purl pkg:composer/silverstripe/graphql@3.6.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-zaty-jxqd-hyb4

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.6.0-alpha1

url	pkg:composer/silverstripe/graphql@4.0.0-alpha2
purl	pkg:composer/silverstripe/graphql@4.0.0-alpha2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0-alpha2

aliases CVE-2020-26136, GHSA-mg2g-8pwj-r2j2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ajga-3b99-yugh

url VCID-zaty-jxqd-hyb4

vulnerability_id VCID-zaty-jxqd-hyb4

summary

Uncontrolled Resource Consumption
silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-40180

reference_id

reference_type

scores

value	0.0068
scoring_system	epss
scoring_elements	0.71536
published_at	2026-04-07T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71606
published_at	2026-04-21T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71625
published_at	2026-04-18T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71621
published_at	2026-04-16T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71594
published_at	2026-04-12T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.7161
published_at	2026-04-11T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71587
published_at	2026-04-09T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71576
published_at	2026-04-13T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71546
published_at	2026-04-02T12:55:00Z

value	0.0068
scoring_system	epss
scoring_elements	0.71563
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-40180

reference_url

https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/

url

https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries

reference_url

https://github.com/silverstripe/silverstripe-graphql

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-graphql

reference_url

https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/

url

https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c

reference_url

https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/

url

https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-40180

reference_id

CVE-2023-40180

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-40180

reference_url

https://www.silverstripe.org/download/security-releases/CVE-2023-40180

reference_id

CVE-2023-40180

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/

url

https://www.silverstripe.org/download/security-releases/CVE-2023-40180

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml

reference_id

CVE-2023-40180.YAML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml

reference_url

https://github.com/advisories/GHSA-v23w-pppm-jh66

reference_id

GHSA-v23w-pppm-jh66

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v23w-pppm-jh66

reference_url

https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66

reference_id

GHSA-v23w-pppm-jh66

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/

url

https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66

fixed_packages

url	pkg:composer/silverstripe/graphql@3.8.2
purl	pkg:composer/silverstripe/graphql@3.8.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.8.2

url pkg:composer/silverstripe/graphql@4.0.0-alpha1

purl pkg:composer/silverstripe/graphql@4.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ajga-3b99-yugh

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0-alpha1

url pkg:composer/silverstripe/graphql@4.1.3

purl pkg:composer/silverstripe/graphql@4.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mvj-w9yw-kyac

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.3

url pkg:composer/silverstripe/graphql@4.2.5

purl pkg:composer/silverstripe/graphql@4.2.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mvj-w9yw-kyac

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.5

url pkg:composer/silverstripe/graphql@4.3.0-rc1

purl pkg:composer/silverstripe/graphql@4.3.0-rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mvj-w9yw-kyac

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.0-rc1

url pkg:composer/silverstripe/graphql@4.3.4

purl pkg:composer/silverstripe/graphql@4.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mvj-w9yw-kyac

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.4

url	pkg:composer/silverstripe/graphql@5.0.0-alpha1
purl	pkg:composer/silverstripe/graphql@5.0.0-alpha1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.0-alpha1

url pkg:composer/silverstripe/graphql@5.0.3

purl pkg:composer/silverstripe/graphql@5.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mvj-w9yw-kyac

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.3

url pkg:composer/silverstripe/graphql@5.1.0-beta1

purl pkg:composer/silverstripe/graphql@5.1.0-beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mvj-w9yw-kyac

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.0-beta1

aliases CVE-2023-40180, GHSA-v23w-pppm-jh66

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zaty-jxqd-hyb4

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.1.5

Package Instance