Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/55381?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/55381?format=api", "purl": "pkg:composer/mautic/core@2.13.0", "type": "composer", "namespace": "mautic", "name": "core", "version": "2.13.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.3.2", "latest_non_vulnerable_version": "7.0.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53958?format=api", "vulnerability_id": "VCID-1unf-fcpb-t7gr", "summary": "Cross-site Scripting\nMautic is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00617", "scoring_system": "epss", "scoring_elements": "0.70316", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35129" }, { "reference_url": "https://forum.mautic.org/c/announcements/16", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://forum.mautic.org/c/announcements/16" }, { "reference_url": "https://github.com/mautic/mautic", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic" }, { "reference_url": "https://labs.bishopfox.com/advisories/mautic-version-3.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://labs.bishopfox.com/advisories/mautic-version-3.2.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35129", "reference_id": "CVE-2020-35129", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35129" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79564?format=api", "purl": "pkg:composer/mautic/core@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@3.2.4" } ], "aliases": [ "CVE-2020-35129", "GHSA-3px5-wjh3-9x6r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1unf-fcpb-t7gr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54001?format=api", "vulnerability_id": "VCID-9tjy-3czw-37as", "summary": "Cross-site Scripting\nA cross-site scripting (XSS) vulnerability in the assets component of Mautic allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35124", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01142", "scoring_system": "epss", "scoring_elements": "0.7877", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35124" }, { "reference_url": "https://forum.mautic.org/c/announcements/16", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://forum.mautic.org/c/announcements/16" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35124.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35124.yaml" }, { "reference_url": "https://github.com/mautic/mautic/commit/20c5dc39b62164f6922ce53ea42cbb4ccec64e57", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/commit/20c5dc39b62164f6922ce53ea42cbb4ccec64e57" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-39wj-j3jc-858m", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-39wj-j3jc-858m" }, { "reference_url": "https://packagist.org/packages/mautic/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/mautic/core" }, { "reference_url": "https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce" }, { "reference_url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35124", "reference_id": "CVE-2020-35124", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35124" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79578?format=api", "purl": "pkg:composer/mautic/core@2.16.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.16.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/79564?format=api", "purl": "pkg:composer/mautic/core@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@3.2.4" } ], "aliases": [ "CVE-2020-35124", "GHSA-39wj-j3jc-858m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tjy-3czw-37as" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54046?format=api", "vulnerability_id": "VCID-dh9y-k8zb-zkew", "summary": "Cross-site Scripting\nA cross-site scripting (XSS) vulnerability in the forms component of Mautic allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35125", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79631", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35125" }, { "reference_url": "https://forum.mautic.org/c/announcements/16", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://forum.mautic.org/c/announcements/16" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35125.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35125.yaml" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62m", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62m" }, { "reference_url": "https://packagist.org/packages/mautic/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/mautic/core" }, { "reference_url": "https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce" }, { "reference_url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35125", "reference_id": "CVE-2020-35125", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35125" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79578?format=api", "purl": "pkg:composer/mautic/core@2.16.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.16.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/79564?format=api", "purl": "pkg:composer/mautic/core@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@3.2.4" } ], "aliases": [ "CVE-2020-35125", "GHSA-42q7-95j7-w62m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dh9y-k8zb-zkew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54227?format=api", "vulnerability_id": "VCID-ghuh-z1uh-mbf5", "summary": "Incorrect Permission Assignment for Critical Resource\nSecret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-27908", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00109", "scoring_system": "epss", "scoring_elements": "0.28726", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-27908" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27908.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27908.yaml" }, { "reference_url": "https://github.com/mautic/mautic", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-4hjq-422q-4vpx", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-4hjq-422q-4vpx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27908", "reference_id": "CVE-2021-27908", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27908" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80043?format=api", "purl": "pkg:composer/mautic/core@3.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@3.3.2" } ], "aliases": [ "CVE-2021-27908", "GHSA-4hjq-422q-4vpx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ghuh-z1uh-mbf5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54008?format=api", "vulnerability_id": "VCID-j624-5zx3-c7c8", "summary": "XSS in Mautic\n** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml" }, { "reference_url": "https://github.com/mautic/mautic/commit/ba31db23e664f889da55a29ff27f797e2ab5cb1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/commit/ba31db23e664f889da55a29ff27f797e2ab5cb1b" }, { "reference_url": "https://github.com/mautic/mautic/releases/tag/3.2.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/releases/tag/3.2.4" }, { "reference_url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3" }, { "reference_url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3142", "reference_id": "CVE-2021-3142", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3142" }, { "reference_url": "https://github.com/advisories/GHSA-p7v4-gm6j-cw9m", "reference_id": "GHSA-p7v4-gm6j-cw9m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p7v4-gm6j-cw9m" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-p7v4-gm6j-cw9m", "reference_id": "GHSA-p7v4-gm6j-cw9m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-p7v4-gm6j-cw9m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79578?format=api", "purl": "pkg:composer/mautic/core@2.16.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.16.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/79564?format=api", "purl": "pkg:composer/mautic/core@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@3.2.4" } ], "aliases": [ "CVE-2021-3142", "GHSA-p7v4-gm6j-cw9m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j624-5zx3-c7c8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53965?format=api", "vulnerability_id": "VCID-p9jy-6mbb-ukad", "summary": "Cross-site Scripting\nMautic is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35128", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00651", "scoring_system": "epss", "scoring_elements": "0.71253", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-35128" }, { "reference_url": "https://forum.mautic.org/c/announcements/16", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://forum.mautic.org/c/announcements/16" }, { "reference_url": "https://forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786" }, { "reference_url": "https://github.com/mautic/mautic", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic" }, { "reference_url": "https://labs.bishopfox.com/advisories/mautic-version-3.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://labs.bishopfox.com/advisories/mautic-version-3.2.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35128", "reference_id": "CVE-2020-35128", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35128" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79578?format=api", "purl": "pkg:composer/mautic/core@2.16.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.16.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/79564?format=api", "purl": "pkg:composer/mautic/core@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ghuh-z1uh-mbf5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@3.2.4" } ], "aliases": [ "CVE-2020-35128", "GHSA-98j2-3jv7-274m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9jy-6mbb-ukad" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39581?format=api", "vulnerability_id": "VCID-2bf9-tpw5-6ybc", "summary": "Injection Vulnerability\nMautic allows CSV injection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-8092", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00486", "scoring_system": "epss", "scoring_elements": "0.65743", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-8092" }, { "reference_url": "https://github.com/mautic/mautic/commit/cbc49f0ac4cc7e3acc07f2a85c079b2f85225a6b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/commit/cbc49f0ac4cc7e3acc07f2a85c079b2f85225a6b" }, { "reference_url": "https://github.com/mautic/mautic/releases/tag/2.13.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/releases/tag/2.13.0" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-29v9-2fpx-j5g9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-29v9-2fpx-j5g9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8092", "reference_id": "CVE-2018-8092", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8092" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55381?format=api", "purl": "pkg:composer/mautic/core@2.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-dh9y-k8zb-zkew" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" }, { "vulnerability": "VCID-j624-5zx3-c7c8" }, { "vulnerability": "VCID-p9jy-6mbb-ukad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.13.0" } ], "aliases": [ "CVE-2018-8092", "GHSA-29v9-2fpx-j5g9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2bf9-tpw5-6ybc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39571?format=api", "vulnerability_id": "VCID-7nmh-nhm6-abhr", "summary": "Information Exposure\nAn issue was discovered in Mautic It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being tracked as each contact in Mautic. It is then possible to retrieve information about the contact through forms that have progressive profiling enabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-10189", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53602", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-10189" }, { "reference_url": "https://github.com/mautic/mautic/releases/tag/2.13.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/releases/tag/2.13.0" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-vfxj-qg93-7wwc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-vfxj-qg93-7wwc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10189", "reference_id": "CVE-2018-10189", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10189" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55381?format=api", "purl": "pkg:composer/mautic/core@2.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-dh9y-k8zb-zkew" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" }, { "vulnerability": "VCID-j624-5zx3-c7c8" }, { "vulnerability": "VCID-p9jy-6mbb-ukad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.13.0" } ], "aliases": [ "CVE-2018-10189", "GHSA-vfxj-qg93-7wwc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7nmh-nhm6-abhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39580?format=api", "vulnerability_id": "VCID-hwrr-6qe1-77gn", "summary": "Cross-site Scripting\nMautic before v2.13.0 has stored XSS via a theme config file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-8071", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0024", "scoring_system": "epss", "scoring_elements": "0.47432", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-8071" }, { "reference_url": "https://github.com/mautic/mautic/commit/3add236e9cc00ea9b211b52cccc4660379b2ee8b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/commit/3add236e9cc00ea9b211b52cccc4660379b2ee8b" }, { "reference_url": "https://github.com/mautic/mautic/releases/tag/2.13.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/releases/tag/2.13.0" }, { "reference_url": "https://github.com/mautic/mautic/security/advisories/GHSA-5w74-jx7m-x6hv", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-5w74-jx7m-x6hv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8071", "reference_id": "CVE-2018-8071", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8071" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55381?format=api", "purl": "pkg:composer/mautic/core@2.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1unf-fcpb-t7gr" }, { "vulnerability": "VCID-9tjy-3czw-37as" }, { "vulnerability": "VCID-dh9y-k8zb-zkew" }, { "vulnerability": "VCID-ghuh-z1uh-mbf5" }, { "vulnerability": "VCID-j624-5zx3-c7c8" }, { "vulnerability": "VCID-p9jy-6mbb-ukad" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.13.0" } ], "aliases": [ "CVE-2018-8071", "GHSA-5w74-jx7m-x6hv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hwrr-6qe1-77gn" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/mautic/core@2.13.0" }