Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/cmark-gfm@0.29.0.gfm.0-6

Type deb

Namespace debian

Name cmark-gfm

Version 0.29.0.gfm.0-6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.29.0.gfm.13-4

Latest_non_vulnerable_version 0.29.0.gfm.13-4

Affected_by_vulnerabilities

url VCID-2an8-zxae-hffk

vulnerability_id VCID-2an8-zxae-hffk

summary cmark-gfm: Quadratic complexity bugs may lead to a denial of service

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24824.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24824.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-24824

reference_id

reference_type

scores

value	0.00319
scoring_system	epss
scoring_elements	0.55228
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-24824

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24824
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24824

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034171
reference_id	1034171
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034171

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034172
reference_id	1034172
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034172

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034173
reference_id	1034173
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034173

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034174
reference_id	1034174
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034174

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2210172
reference_id	2210172
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2210172

reference_url

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

reference_id

2300c1bd2c8226108885bf019655c4159cf26b59

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-11T17:19:34Z/

url

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

reference_url	https://access.redhat.com/errata/RHSA-2025:8427
reference_id	RHSA-2025:8427
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8427

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-24824

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2an8-zxae-hffk

url VCID-3hpr-vga4-kucr

vulnerability_id VCID-3hpr-vga4-kucr

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22486

reference_id

reference_type

scores

value	0.00122
scoring_system	epss
scoring_elements	0.30895
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22486

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22486
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22486

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110
reference_id	1033110
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111
reference_id	1033111
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112
reference_id	1033112
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113
reference_id	1033113
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113

reference_url	https://usn.ubuntu.com/7319-1/
reference_id	USN-7319-1
reference_type
scores
url	https://usn.ubuntu.com/7319-1/

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-22486

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3hpr-vga4-kucr

url VCID-3ngu-1qyq-5ub2

vulnerability_id VCID-3ngu-1qyq-5ub2

summary cmark-gfm: possible RCE due to integer overflow

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24724.json

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24724.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-24724

reference_id

reference_type

scores

value	0.04189
scoring_system	epss
scoring_elements	0.88895
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-24724

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006756
reference_id	1006756
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006756

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006757
reference_id	1006757
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006757

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006758
reference_id	1006758
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006758

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006759
reference_id	1006759
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006759

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006760
reference_id	1006760
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006760

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2060662
reference_id	2060662
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2060662

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ/

reference_id

5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ/

reference_url

http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.html

reference_id

cmark-gfm-Integer-overflow.html

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC/

reference_id

F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2/

reference_id

KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2/

reference_url	https://access.redhat.com/errata/RHSA-2022:5597
reference_id	RHSA-2022:5597
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5597

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77/

reference_id

RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O/

reference_id

TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV/

reference_id

Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:44:15Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV/

fixed_packages

url pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

purl pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2an8-zxae-hffk

vulnerability	VCID-3hpr-vga4-kucr

vulnerability	VCID-cr2f-h3ds-m7bp

vulnerability	VCID-g272-pad7-t7bp

vulnerability	VCID-rfcv-sua7-uke4

vulnerability	VCID-u5p8-6fkp-byap

vulnerability	VCID-vapm-4zu8-d7ba

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

aliases CVE-2022-24724

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ngu-1qyq-5ub2

url VCID-cr2f-h3ds-m7bp

vulnerability_id VCID-cr2f-h3ds-m7bp

summary cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22484

reference_id

reference_type

scores

value	0.00226
scoring_system	epss
scoring_elements	0.45409
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22484

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22484
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22484

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110
reference_id	1033110
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111
reference_id	1033111
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112
reference_id	1033112
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113
reference_id	1033113
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113

reference_url	https://usn.ubuntu.com/7319-1/
reference_id	USN-7319-1
reference_type
scores
url	https://usn.ubuntu.com/7319-1/

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-22484

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cr2f-h3ds-m7bp

url VCID-fjt6-mbum-gkdh

vulnerability_id VCID-fjt6-mbum-gkdh

summary cmark-gfm: Unbounded resource exhaustion may lead to denial of service

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39209.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39209.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-39209

reference_id

reference_type

scores

value	0.01827
scoring_system	epss
scoring_elements	0.83207
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-39209

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39209
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39209

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020588
reference_id	1020588
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020588

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034887
reference_id	1034887
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034887

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034888
reference_id	1034888
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034888

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2128044
reference_id	2128044
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2128044

reference_url

https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

reference_id

9d57d8a23142b316282bdfc954cb0ecda40a8655

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/

url

https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

reference_url

https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

reference_id

GHSA-cgh3-p57x-9q7q

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/

url

https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/

reference_id

JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/

reference_id

JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/

reference_url

https://en.wikipedia.org/wiki/Time_complexity

reference_id

Time_complexity

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/

url

https://en.wikipedia.org/wiki/Time_complexity

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/

reference_id

UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/

reference_url	https://usn.ubuntu.com/7319-1/
reference_id	USN-7319-1
reference_type
scores
url	https://usn.ubuntu.com/7319-1/

fixed_packages

url pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

purl pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2an8-zxae-hffk

vulnerability	VCID-3hpr-vga4-kucr

vulnerability	VCID-cr2f-h3ds-m7bp

vulnerability	VCID-g272-pad7-t7bp

vulnerability	VCID-rfcv-sua7-uke4

vulnerability	VCID-u5p8-6fkp-byap

vulnerability	VCID-vapm-4zu8-d7ba

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

aliases CVE-2022-39209

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fjt6-mbum-gkdh

url VCID-g272-pad7-t7bp

vulnerability_id VCID-g272-pad7-t7bp

summary commonmarker: Quadratic complexity bug may lead to a denial of service

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26485.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26485.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-26485

reference_id

reference_type

scores

value	0.00154
scoring_system	epss
scoring_elements	0.35879
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-26485

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26485
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26485

reference_url

https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987

reference_id

07a66c9bc341f902878e37d7da8647d6ef150987

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-11T17:20:05Z/

url

https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034171
reference_id	1034171
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034171

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034172
reference_id	1034172
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034172

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034173
reference_id	1034173
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034173

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034174
reference_id	1034174
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034174

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2210173
reference_id	2210173
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2210173

reference_url	https://usn.ubuntu.com/7319-1/
reference_id	USN-7319-1
reference_type
scores
url	https://usn.ubuntu.com/7319-1/

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-26485

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g272-pad7-t7bp

url VCID-rfcv-sua7-uke4

vulnerability_id VCID-rfcv-sua7-uke4

summary cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22483

reference_id

reference_type

scores

value	0.00226
scoring_system	epss
scoring_elements	0.45409
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22483

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22483
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22483

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110
reference_id	1033110
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111
reference_id	1033111
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112
reference_id	1033112
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113
reference_id	1033113
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113

reference_url	https://usn.ubuntu.com/7319-1/
reference_id	USN-7319-1
reference_type
scores
url	https://usn.ubuntu.com/7319-1/

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-22483

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rfcv-sua7-uke4

url VCID-t4pg-p9b1-xycx

vulnerability_id VCID-t4pg-p9b1-xycx

summary cmark-gfm: Exponential time to parse certain inputs could lead to DoS

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5238.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5238.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-5238

reference_id

reference_type

scores

value	0.00509
scoring_system	epss
scoring_elements	0.66629
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-5238

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5238
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5238

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1854328
reference_id	1854328
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1854328

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965980
reference_id	965980
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965980

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965981
reference_id	965981
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965981

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965982
reference_id	965982
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965982

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965983
reference_id	965983
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965983

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965984
reference_id	965984
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965984

reference_url	https://access.redhat.com/errata/RHSA-2021:1972
reference_id	RHSA-2021:1972
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1972

fixed_packages

url pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

purl pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2an8-zxae-hffk

vulnerability	VCID-3hpr-vga4-kucr

vulnerability	VCID-cr2f-h3ds-m7bp

vulnerability	VCID-g272-pad7-t7bp

vulnerability	VCID-rfcv-sua7-uke4

vulnerability	VCID-u5p8-6fkp-byap

vulnerability	VCID-vapm-4zu8-d7ba

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.6-6

aliases CVE-2020-5238

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t4pg-p9b1-xycx

url VCID-u5p8-6fkp-byap

vulnerability_id VCID-u5p8-6fkp-byap

summary cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37463

reference_id

reference_type

scores

value	0.00221
scoring_system	epss
scoring_elements	0.44742
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37463

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37463
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37463

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041097
reference_id	1041097
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041097

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041098
reference_id	1041098
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041098

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041099
reference_id	1041099
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041099

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041100
reference_id	1041100
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041100

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-37463

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5p8-6fkp-byap

url VCID-vapm-4zu8-d7ba

vulnerability_id VCID-vapm-4zu8-d7ba

summary cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22485

reference_id

reference_type

scores

value	0.00071
scoring_system	epss
scoring_elements	0.21822
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22485

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22485
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22485

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110
reference_id	1033110
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033110

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111
reference_id	1033111
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112
reference_id	1033112
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033112

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113
reference_id	1033113
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113

reference_url

https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr

reference_id

GHSA-c944-cv5f-hpvr

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:02:09Z/

url

https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr

fixed_packages

url	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
purl	pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.13-4

aliases CVE-2023-22485

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vapm-4zu8-d7ba

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cmark-gfm@0.29.0.gfm.0-6

Package Instance