Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/49148?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/49148?format=api", "purl": "pkg:pypi/kedro@0.17.5", "type": "pypi", "namespace": "", "name": "kedro", "version": "0.17.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.3.0", "latest_non_vulnerable_version": "1.3.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56882?format=api", "vulnerability_id": "VCID-4nwx-hyuy-k3hw", "summary": "Kedro deserialization vulnerability\nA Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-9701", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0614", "scoring_system": "epss", "scoring_elements": "0.90973", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0614", "scoring_system": "epss", "scoring_elements": "0.90976", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0614", "scoring_system": "epss", "scoring_elements": "0.90979", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0614", "scoring_system": "epss", "scoring_elements": "0.9098", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-9701" }, { "reference_url": "https://github.com/kedro-org/kedro", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/kedro-org/kedro" }, { "reference_url": "https://github.com/kedro-org/kedro/commit/66e5e074b2789469550370f370c8b486f638d975", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/kedro-org/kedro/commit/66e5e074b2789469550370f370c8b486f638d975" }, { "reference_url": "https://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:19Z/" } ], "url": "https://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9701", "reference_id": "CVE-2024-9701", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9701" }, { "reference_url": "https://github.com/kedro-org/kedro/commit/d79fa51de55ac0ccb58cce1a482df1b445f0fe7c", "reference_id": "d79fa51de55ac0ccb58cce1a482df1b445f0fe7c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:19Z/" } ], "url": "https://github.com/kedro-org/kedro/commit/d79fa51de55ac0ccb58cce1a482df1b445f0fe7c" }, { "reference_url": "https://github.com/advisories/GHSA-747f-ww56-4q4h", "reference_id": "GHSA-747f-ww56-4q4h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-747f-ww56-4q4h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49175?format=api", "purl": "pkg:pypi/kedro@0.19.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6x1m-q9dg-9ycx" }, { "vulnerability": "VCID-th6m-yd2z-ykba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@0.19.9" } ], "aliases": [ "CVE-2024-9701", "GHSA-747f-ww56-4q4h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4nwx-hyuy-k3hw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37264?format=api", "vulnerability_id": "VCID-6x1m-q9dg-9ycx", "summary": "Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35171", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42163", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42215", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42226", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42199", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35171" }, { "reference_url": "https://github.com/kedro-org/kedro", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/kedro-org/kedro" }, { "reference_url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-07T15:07:48Z/" } ], "url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/kedro/PYSEC-2026-72.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/kedro/PYSEC-2026-72.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35171", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35171" }, { "reference_url": "https://github.com/advisories/GHSA-9cqf-439c-j96r", "reference_id": "GHSA-9cqf-439c-j96r", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9cqf-439c-j96r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49189?format=api", "purl": "pkg:pypi/kedro@1.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@1.3.0" } ], "aliases": [ "CVE-2026-35171", "GHSA-9cqf-439c-j96r", "PYSEC-2026-72" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6x1m-q9dg-9ycx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37263?format=api", "vulnerability_id": "VCID-th6m-yd2z-ykba", "summary": "Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory.\nThis is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35167", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06341", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06394", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06386", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06404", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35167" }, { "reference_url": "https://github.com/kedro-org/kedro", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/kedro-org/kedro" }, { "reference_url": "https://github.com/kedro-org/kedro/pull/5442", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:36:23Z/" } ], "url": "https://github.com/kedro-org/kedro/pull/5442" }, { "reference_url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:36:23Z/" } ], "url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/kedro/PYSEC-2026-71.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/kedro/PYSEC-2026-71.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35167", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35167" }, { "reference_url": "https://github.com/advisories/GHSA-6326-w46w-ppjw", "reference_id": "GHSA-6326-w46w-ppjw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6326-w46w-ppjw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49189?format=api", "purl": "pkg:pypi/kedro@1.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@1.3.0" } ], "aliases": [ "CVE-2026-35167", "GHSA-6326-w46w-ppjw", "PYSEC-2026-71" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-th6m-yd2z-ykba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56880?format=api", "vulnerability_id": "VCID-w8wh-fd22-z3hu", "summary": "Kedro allows Remote Code Execution by Pulling Micro Packages\nIn kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00847", "scoring_system": "epss", "scoring_elements": "0.75232", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00847", "scoring_system": "epss", "scoring_elements": "0.75213", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00847", "scoring_system": "epss", "scoring_elements": "0.75227", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00847", "scoring_system": "epss", "scoring_elements": "0.75235", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12215" }, { "reference_url": "https://github.com/kedro-org/kedro", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/kedro-org/kedro" }, { "reference_url": "https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:34:49Z/" } ], "url": "https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12215", "reference_id": "CVE-2024-12215", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12215" }, { "reference_url": "https://github.com/advisories/GHSA-rm69-wvpv-r2w7", "reference_id": "GHSA-rm69-wvpv-r2w7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rm69-wvpv-r2w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49175?format=api", "purl": "pkg:pypi/kedro@0.19.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6x1m-q9dg-9ycx" }, { "vulnerability": "VCID-th6m-yd2z-ykba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@0.19.9" } ], "aliases": [ "CVE-2024-12215", "GHSA-rm69-wvpv-r2w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w8wh-fd22-z3hu" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@0.17.5" }