Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/30055?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/30055?format=api", "purl": "pkg:pypi/nautobot@2.1.9", "type": "pypi", "namespace": "", "name": "nautobot", "version": "2.1.9", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.4.33", "latest_non_vulnerable_version": "3.1.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97947?format=api", "vulnerability_id": "VCID-7hyy-vgqn-hkfy", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49143", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.45516", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.45367", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49143" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49143", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49143" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/6672", "reference_id": "6672", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:58:15Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/6672" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/6703", "reference_id": "6703", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:58:15Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/6703" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340", "reference_id": "9c892dc300429948a4714f743c9c2879d8987340", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:58:15Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/d99a53b065129cff3a0fa9abe7355a9ef1ad4c95", "reference_id": "d99a53b065129cff3a0fa9abe7355a9ef1ad4c95", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:58:15Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/d99a53b065129cff3a0fa9abe7355a9ef1ad4c95" }, { "reference_url": "https://github.com/advisories/GHSA-rh67-4c8j-hjjh", "reference_id": "GHSA-rh67-4c8j-hjjh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rh67-4c8j-hjjh" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh", "reference_id": "GHSA-rh67-4c8j-hjjh", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:58:15Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87782?format=api", "purl": "pkg:pypi/nautobot@2.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.10" } ], "aliases": [ "CVE-2025-49143", "GHSA-rh67-4c8j-hjjh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7hyy-vgqn-hkfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67722?format=api", "vulnerability_id": "VCID-fmdc-184u-9ya3", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44797", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11492", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11569", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44797" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44797", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44797" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4", "reference_id": "16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:49Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08", "reference_id": "7324c8f0d8c7245fbc691e15d729adc2d2707d08", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:49Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08" }, { "reference_url": "https://github.com/advisories/GHSA-c35q-vxrp-ph26", "reference_id": "GHSA-c35q-vxrp-ph26", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c35q-vxrp-ph26" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-c35q-vxrp-ph26", "reference_id": "GHSA-c35q-vxrp-ph26", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:49Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-c35q-vxrp-ph26" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33", "reference_id": "v2.4.33", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:49Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2", "reference_id": "v3.1.2", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:29:49Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375888?format=api", "purl": "pkg:pypi/nautobot@2.4.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/375887?format=api", "purl": "pkg:pypi/nautobot@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@3.1.2" } ], "aliases": [ "CVE-2026-44797", "GHSA-c35q-vxrp-ph26" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fmdc-184u-9ya3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97951?format=api", "vulnerability_id": "VCID-jcyt-t5f3-4khn", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49142", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39416", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39586", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49142" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2025-74.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2025-74.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2025-79.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2025-79.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49142", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49142" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/7417", "reference_id": "7417", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T17:10:17Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/7417" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/7429", "reference_id": "7429", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T17:10:17Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/7429" }, { "reference_url": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description", "reference_id": "#alters-data-description", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T17:10:17Z/" } ], "url": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description" }, { "reference_url": "https://github.com/advisories/GHSA-wjw6-95h5-4jpx", "reference_id": "GHSA-wjw6-95h5-4jpx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wjw6-95h5-4jpx" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx", "reference_id": "GHSA-wjw6-95h5-4jpx", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T17:10:17Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx" }, { "reference_url": "https://jinja.palletsprojects.com/en/stable/sandbox", "reference_id": "sandbox", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T17:10:17Z/" } ], "url": "https://jinja.palletsprojects.com/en/stable/sandbox" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87782?format=api", "purl": "pkg:pypi/nautobot@2.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.10" } ], "aliases": [ "CVE-2025-49142", "GHSA-wjw6-95h5-4jpx", "PYSEC-2025-74", "PYSEC-2025-79" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jcyt-t5f3-4khn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67599?format=api", "vulnerability_id": "VCID-kzek-vx11-p3db", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different \"content types\" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user \"view\" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44794", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06886", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06911", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44794" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44794", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44794" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b", "reference_id": "36cde7148a207234de6212ec074f321dbc9d1b5b", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:02:38Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1", "reference_id": "9918bdb9bcf1eb42cda72c344f420a64ef7665f1", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:02:38Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1" }, { "reference_url": "https://github.com/advisories/GHSA-wpxj-44w3-2j6x", "reference_id": "GHSA-wpxj-44w3-2j6x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpxj-44w3-2j6x" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x", "reference_id": "GHSA-wpxj-44w3-2j6x", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:02:38Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33", "reference_id": "v2.4.33", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:02:38Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2", "reference_id": "v3.1.2", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:02:38Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375888?format=api", "purl": "pkg:pypi/nautobot@2.4.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/375887?format=api", "purl": "pkg:pypi/nautobot@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@3.1.2" } ], "aliases": [ "CVE-2026-44794", "GHSA-wpxj-44w3-2j6x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kzek-vx11-p3db" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67710?format=api", "vulnerability_id": "VCID-n6my-hv54-7kfv", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44798", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17891", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.1805", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44798" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44798", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44798" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609", "reference_id": "9deddfc91ad9260ad17b5e20084e9e2d15be3609", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T19:01:54Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3", "reference_id": "c46f97040b2bde4320be36b23577f19a8bcbd8c3", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T19:01:54Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3" }, { "reference_url": "https://github.com/advisories/GHSA-p3hx-pwf3-j8wr", "reference_id": "GHSA-p3hx-pwf3-j8wr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p3hx-pwf3-j8wr" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr", "reference_id": "GHSA-p3hx-pwf3-j8wr", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T19:01:54Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33", "reference_id": "v2.4.33", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T19:01:54Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2", "reference_id": "v3.1.2", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T19:01:54Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375888?format=api", "purl": "pkg:pypi/nautobot@2.4.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/375887?format=api", "purl": "pkg:pypi/nautobot@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@3.1.2" } ], "aliases": [ "CVE-2026-44798", "GHSA-p3hx-pwf3-j8wr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n6my-hv54-7kfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67914?format=api", "vulnerability_id": "VCID-p5ay-27ca-8ydh", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44796", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15358", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15494", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44796" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44796", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44796" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd", "reference_id": "5a30d0916953afbeedd24a784709e762cc3879cd", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:01:49Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee", "reference_id": "c2b766966d814a7141f62c7bc90c85fefb7892ee", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:01:49Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee" }, { "reference_url": "https://github.com/advisories/GHSA-qrpw-gjvh-x5gm", "reference_id": "GHSA-qrpw-gjvh-x5gm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrpw-gjvh-x5gm" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm", "reference_id": "GHSA-qrpw-gjvh-x5gm", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:01:49Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33", "reference_id": "v2.4.33", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:01:49Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2", "reference_id": "v3.1.2", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-30T02:01:49Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375888?format=api", "purl": "pkg:pypi/nautobot@2.4.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/375887?format=api", "purl": "pkg:pypi/nautobot@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@3.1.2" } ], "aliases": [ "CVE-2026-44796", "GHSA-qrpw-gjvh-x5gm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p5ay-27ca-8ydh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42164?format=api", "vulnerability_id": "VCID-p942-atnd-xkbg", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups/<uuid>/`) and/or the members REST API view (`/api/extras/dynamic-groups/<uuid>/members/`) to list the objects that are members of a given Dynamic Group. In versions of Nautobot between 1.3.0 (where the Dynamic Groups feature was added) and 1.6.22 inclusive, and 2.0.0 through 2.2.4 inclusive, Nautobot fails to restrict these listings based on the member object permissions - for example a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's `dcim.view_device` permissions or lack thereof. This issue has been fixed in Nautobot versions 1.6.23 and 2.2.5. Users are advised to upgrade. This vulnerability can be partially mitigated by removing `extras.view_dynamicgroup` permission from users however a full fix will require upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35515", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35337", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36112" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/3a63aa1327f943b2ac8452757ea2e4d403387ad6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/commit/3a63aa1327f943b2ac8452757ea2e4d403387ad6" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/4d1ff2abe2775b0a6fb16e6d1d503a78226a6f8e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/commit/4d1ff2abe2775b0a6fb16e6d1d503a78226a6f8e" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-166.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-166.yaml" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5757", "reference_id": "5757", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T12:59:52Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5757" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5762", "reference_id": "5762", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T12:59:52Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5762" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36112", "reference_id": "CVE-2024-36112", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36112" }, { "reference_url": "https://github.com/advisories/GHSA-qmjf-wc2h-6x3q", "reference_id": "GHSA-qmjf-wc2h-6x3q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmjf-wc2h-6x3q" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q", "reference_id": "GHSA-qmjf-wc2h-6x3q", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T12:59:52Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31752?format=api", "purl": "pkg:pypi/nautobot@2.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7hyy-vgqn-hkfy" }, { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-jcyt-t5f3-4khn" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-p942-atnd-xkbg" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/83738?format=api", "purl": "pkg:pypi/nautobot@2.3.0b1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7hyy-vgqn-hkfy" }, { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-jcyt-t5f3-4khn" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.3.0b1" } ], "aliases": [ "CVE-2024-36112", "GHSA-qmjf-wc2h-6x3q", "PYSEC-2024-166" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p942-atnd-xkbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52737?format=api", "vulnerability_id": "VCID-tbah-cqxc-1kb1", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32979", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42349", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42185", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32979" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/2ea5797ea43646d5d8b29433e4c707b5a9758146", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/commit/2ea5797ea43646d5d8b29433e4c707b5a9758146" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.20", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.20" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.2.3" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "reference_id": "42440ebd9b381534ad89d62420ebea00d703d64e", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T16:56:47Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5646", "reference_id": "5646", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T16:56:47Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5646" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5647", "reference_id": "5647", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T16:56:47Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5647" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32979", "reference_id": "CVE-2024-32979", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32979" }, { "reference_url": "https://github.com/advisories/GHSA-jxgr-gcj5-cqqg", "reference_id": "GHSA-jxgr-gcj5-cqqg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxgr-gcj5-cqqg" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "reference_id": "GHSA-jxgr-gcj5-cqqg", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T16:56:47Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30833?format=api", "purl": "pkg:pypi/nautobot@2.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7hyy-vgqn-hkfy" }, { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-jcyt-t5f3-4khn" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-p942-atnd-xkbg" }, { "vulnerability": "VCID-z219-8hrp-7fbt" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.3" } ], "aliases": [ "CVE-2024-32979", "GHSA-jxgr-gcj5-cqqg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tbah-cqxc-1kb1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49605?format=api", "vulnerability_id": "VCID-z219-8hrp-7fbt", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34707", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50381", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50514", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34707" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c", "reference_id": "4f0a66bd6307bfe0e0acb899233e0d4ad516f51c", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:20:33Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5697", "reference_id": "5697", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:20:33Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5697" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5698", "reference_id": "5698", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:20:33Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5698" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34707", "reference_id": "CVE-2024-34707", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34707" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423", "reference_id": "f640aedc69c848d3d1be57f0300fc40033ff6423", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:20:33Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423" }, { "reference_url": "https://github.com/advisories/GHSA-r2hr-4v48-fjv3", "reference_id": "GHSA-r2hr-4v48-fjv3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2hr-4v48-fjv3" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3", "reference_id": "GHSA-r2hr-4v48-fjv3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T15:20:33Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31014?format=api", "purl": "pkg:pypi/nautobot@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7hyy-vgqn-hkfy" }, { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-jcyt-t5f3-4khn" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-p942-atnd-xkbg" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.4" } ], "aliases": [ "CVE-2024-34707", "GHSA-r2hr-4v48-fjv3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z219-8hrp-7fbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75121?format=api", "vulnerability_id": "VCID-zaze-en93-tker", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34203", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02251", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02255", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34203" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34203", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34203" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598", "reference_id": "589f7caf54124ad76bc9fcbb7bdcaa25627cd598", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:54Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/8778", "reference_id": "8778", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:54Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/8778" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/8779", "reference_id": "8779", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:54Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/8779" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9", "reference_id": "d1ef3135aa02fa07de061e8c085f8cce425fe8c9", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:54Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9" }, { "reference_url": "https://github.com/advisories/GHSA-xmpv-j7p2-j873", "reference_id": "GHSA-xmpv-j7p2-j873", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xmpv-j7p2-j873" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873", "reference_id": "GHSA-xmpv-j7p2-j873", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:54Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375128?format=api", "purl": "pkg:pypi/nautobot@2.4.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/986228?format=api", "purl": "pkg:pypi/nautobot@3.0.0a2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@3.0.0a2" }, { "url": "http://public2.vulnerablecode.io/api/packages/375129?format=api", "purl": "pkg:pypi/nautobot@3.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@3.0.10" } ], "aliases": [ "CVE-2026-34203", "GHSA-xmpv-j7p2-j873" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zaze-en93-tker" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48296?format=api", "vulnerability_id": "VCID-v7dp-d3tk-mkff", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-29199", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00166", "scoring_system": "epss", "scoring_elements": "0.37597", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00166", "scoring_system": "epss", "scoring_elements": "0.37419", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-29199" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750", "reference_id": "2fd95c365f8477b26e06d60b999ddd36882d5750", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5464", "reference_id": "5464", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5464" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5465", "reference_id": "5465", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/pull/5465" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29199", "reference_id": "CVE-2024-29199", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29199" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb", "reference_id": "dd623e6c3307f48b6357fcc91925bcad5192abfb", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb" }, { "reference_url": "https://github.com/advisories/GHSA-m732-wvh2-7cq4", "reference_id": "GHSA-m732-wvh2-7cq4", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m732-wvh2-7cq4" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4", "reference_id": "GHSA-m732-wvh2-7cq4", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16", "reference_id": "v1.6.16", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9", "reference_id": "v2.1.9", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T16:13:02Z/" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30056?format=api", "purl": "pkg:pypi/nautobot@1.6.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7hyy-vgqn-hkfy" }, { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-jcyt-t5f3-4khn" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-p942-atnd-xkbg" }, { "vulnerability": "VCID-tbah-cqxc-1kb1" }, { "vulnerability": "VCID-z219-8hrp-7fbt" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@1.6.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/30055?format=api", "purl": "pkg:pypi/nautobot@2.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7hyy-vgqn-hkfy" }, { "vulnerability": "VCID-fmdc-184u-9ya3" }, { "vulnerability": "VCID-jcyt-t5f3-4khn" }, { "vulnerability": "VCID-kzek-vx11-p3db" }, { "vulnerability": "VCID-n6my-hv54-7kfv" }, { "vulnerability": "VCID-p5ay-27ca-8ydh" }, { "vulnerability": "VCID-p942-atnd-xkbg" }, { "vulnerability": "VCID-tbah-cqxc-1kb1" }, { "vulnerability": "VCID-z219-8hrp-7fbt" }, { "vulnerability": "VCID-zaze-en93-tker" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.9" } ], "aliases": [ "CVE-2024-29199", "GHSA-m732-wvh2-7cq4" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v7dp-d3tk-mkff" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.9" }