Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/27431?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/27431?format=api", "purl": "pkg:pypi/flask-appbuilder@4.0.0rc2", "type": "pypi", "namespace": "", "name": "flask-appbuilder", "version": "4.0.0rc2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.5.3", "latest_non_vulnerable_version": "4.5.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8800?format=api", "vulnerability_id": "VCID-cefr-t1w9-9yck", "summary": "Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34110", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00472", "scoring_system": "epss", "scoring_elements": "0.64951", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34110" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dpgaspar/Flask-AppBuilder" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/2045", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/2045" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.2" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34110", "reference_id": "CVE-2023-34110", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34110" }, { "reference_url": "https://github.com/advisories/GHSA-jhpr-j7cq-3jp3", "reference_id": "GHSA-jhpr-j7cq-3jp3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jhpr-j7cq-3jp3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33144?format=api", "purl": "pkg:pypi/flask-appbuilder@4.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cezb-crna-wbgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.3.2" } ], "aliases": [ "CVE-2023-34110", "GHSA-jhpr-j7cq-3jp3", "PYSEC-2023-94" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cefr-t1w9-9yck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9316?format=api", "vulnerability_id": "VCID-cezb-crna-wbgc", "summary": "Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24023", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00504", "scoring_system": "epss", "scoring_elements": "0.66486", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24023" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-p8q5-cvwx-wvwp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43337?format=api", "purl": "pkg:pypi/flask-appbuilder@4.5.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.5.3" } ], "aliases": [ "CVE-2025-24023", "GHSA-p8q5-cvwx-wvwp", "PYSEC-2025-15" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cezb-crna-wbgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8444?format=api", "vulnerability_id": "VCID-dqzq-crpp-73f7", "summary": "Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31177", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00344", "scoring_system": "epss", "scoring_elements": "0.57243", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31177" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3" }, { "reference_url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-247.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-247.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31177", "reference_id": "CVE-2022-31177", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31177" }, { "reference_url": "https://github.com/advisories/GHSA-32ff-4g79-vgfc", "reference_id": "GHSA-32ff-4g79-vgfc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-32ff-4g79-vgfc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27441?format=api", "purl": "pkg:pypi/flask-appbuilder@4.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cefr-t1w9-9yck" }, { "vulnerability": "VCID-cezb-crna-wbgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.1.3" } ], "aliases": [ "CVE-2022-31177", "GHSA-32ff-4g79-vgfc", "PYSEC-2022-247" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqzq-crpp-73f7" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/flask-appbuilder@4.0.0rc2" }