Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/total.js@3.3.0-29
Typenpm
Namespace
Nametotal.js
Version3.3.0-29
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.4.8
Latest_non_vulnerable_version3.4.9
Affected_by_vulnerabilities
0
url VCID-528e-s8wc-6ydu
vulnerability_id VCID-528e-s8wc-6ydu
summary 
Code Injection
The package `total.js` is vulnerable to Remote Code Execution (RCE) via `set`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-23344
reference_id
reference_type
scores
0
value 0.12679
scoring_system epss
scoring_elements 0.94112
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-23344
1
reference_url https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04
2
reference_url https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23344
reference_id CVE-2021-23344
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23344
fixed_packages
0
url pkg:npm/total.js@3.4.8
purl pkg:npm/total.js@3.4.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.4.8
aliases CVE-2021-23344, GHSA-3wj8-vp9h-rm6m
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-528e-s8wc-6ydu
1
url VCID-wmct-kms3-23hk
vulnerability_id VCID-wmct-kms3-23hk
summary 
Command Injection
This affects the package `total.js` The issue occurs in the `image.pipe` and `image.stream` functions. The type parameter is used to build the command that is then executed using `child_process.spawn.` The issue occurs because `child_process.spawn` is called with the option shell set to true and because the type parameter is not properly sanitized.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-28494
reference_id
reference_type
scores
0
value 0.01199
scoring_system epss
scoring_elements 0.79228
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-28494
1
reference_url https://github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5
2
reference_url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046672
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046672
3
reference_url https://www.npmjs.com/package/total.js
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/total.js
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28494
reference_id CVE-2020-28494
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-28494
fixed_packages
0
url pkg:npm/total.js@3.4.7
purl pkg:npm/total.js@3.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-528e-s8wc-6ydu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.4.7
aliases CVE-2020-28494, GHSA-4449-hg37-77v8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wmct-kms3-23hk
2
url VCID-xkck-dyh3-cfaq
vulnerability_id VCID-xkck-dyh3-cfaq
summary 
Improperly Controlled Modification of Object Prototype Attributes
The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-28495
reference_id
reference_type
scores
0
value 0.06091
scoring_system epss
scoring_elements 0.90925
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-28495
1
reference_url https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
2
reference_url https://github.com/totaljs/framework/blob/master/utils.js%23L6606
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/blob/master/utils.js%23L6606
3
reference_url https://github.com/totaljs/framework/blob/master/utils.js%23L6617
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/blob/master/utils.js%23L6617
4
reference_url https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
5
reference_url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
6
reference_url https://www.npmjs.com/package/total.js
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/total.js
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28495
reference_id CVE-2020-28495
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-28495
fixed_packages
0
url pkg:npm/total.js@3.4.7
purl pkg:npm/total.js@3.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-528e-s8wc-6ydu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.4.7
aliases CVE-2020-28495, GHSA-6cf8-qhqj-vjqm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xkck-dyh3-cfaq
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.3.0-29