Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/552425?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/552425?format=api", "purl": "pkg:pypi/xml2rfc@3.6.0", "type": "pypi", "namespace": "", "name": "xml2rfc", "version": "3.6.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.30.2", "latest_non_vulnerable_version": "3.30.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360548?format=api", "vulnerability_id": "VCID-96zb-v69y-7udq", "summary": "xml2rfc is vulnerable to arbitrary file reads through prepped files\n### Impact\n\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.\n\n### Workarounds\n\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### References\nThis is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11059", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51635", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51633", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51647", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11059" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11059", "reference_id": "CVE-2025-11059", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11059" }, { "reference_url": "https://github.com/advisories/GHSA-9mv7-3c64-mmqw", "reference_id": "GHSA-9mv7-3c64-mmqw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9mv7-3c64-mmqw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376811?format=api", "purl": "pkg:pypi/xml2rfc@3.30.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.30.2" } ], "aliases": [ "CVE-2025-11059", "GHSA-9mv7-3c64-mmqw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-96zb-v69y-7udq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360661?format=api", "vulnerability_id": "VCID-hzv3-nqaf-ckcx", "summary": "xml2rfc has an arbitrary file read vulnerability\n### Impact\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.\n\n### Workarounds\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### Credits\nThis vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11058", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50422", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50427", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.5044", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11058" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/commit/f2b245bc0aeeac0667c8f74e976c466c5991f0e4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/commit/f2b245bc0aeeac0667c8f74e976c466c5991f0e4" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11058", "reference_id": "CVE-2025-11058", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11058" }, { "reference_url": "https://github.com/advisories/GHSA-cfmv-h8fx-85m7", "reference_id": "GHSA-cfmv-h8fx-85m7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cfmv-h8fx-85m7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377665?format=api", "purl": "pkg:pypi/xml2rfc@3.30.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96zb-v69y-7udq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.30.1" } ], "aliases": [ "CVE-2025-11058", "GHSA-cfmv-h8fx-85m7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hzv3-nqaf-ckcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208926?format=api", "vulnerability_id": "VCID-vbea-2gtz-6qe9", "summary": "SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc", "references": [ { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/advisories/GHSA-cf4q-4cqr-7g7w", "reference_id": "GHSA-cf4q-4cqr-7g7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cf4q-4cqr-7g7w" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cf4q-4cqr-7g7w", "reference_id": "GHSA-cf4q-4cqr-7g7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cf4q-4cqr-7g7w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20239?format=api", "purl": "pkg:pypi/xml2rfc@3.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7h51-2ny1-z7fd" }, { "vulnerability": "VCID-96zb-v69y-7udq" }, { "vulnerability": "VCID-hzv3-nqaf-ckcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.12.4" } ], "aliases": [ "GHSA-cf4q-4cqr-7g7w", "GMS-2022-988" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vbea-2gtz-6qe9" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.6.0" }