Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/silverstripe/graphql@4.0.0-alpha1
Typecomposer
Namespacesilverstripe
Namegraphql
Version4.0.0-alpha1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.0.0-alpha2
Latest_non_vulnerable_version5.1.3
Affected_by_vulnerabilities
0
url VCID-ajga-3b99-yugh
vulnerability_id VCID-ajga-3b99-yugh
summary 
Authentication bypass in SilverStripe GraphQL
The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.

Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26136
reference_id
reference_type
scores
0
value 0.00216
scoring_system epss
scoring_elements 0.44118
published_at 2026-04-01T12:55:00Z
1
value 0.00216
scoring_system epss
scoring_elements 0.44227
published_at 2026-04-18T12:55:00Z
2
value 0.00216
scoring_system epss
scoring_elements 0.44237
published_at 2026-04-16T12:55:00Z
3
value 0.00216
scoring_system epss
scoring_elements 0.44176
published_at 2026-04-13T12:55:00Z
4
value 0.00216
scoring_system epss
scoring_elements 0.44208
published_at 2026-04-11T12:55:00Z
5
value 0.00216
scoring_system epss
scoring_elements 0.44182
published_at 2026-04-02T12:55:00Z
6
value 0.00216
scoring_system epss
scoring_elements 0.44193
published_at 2026-04-09T12:55:00Z
7
value 0.00216
scoring_system epss
scoring_elements 0.44188
published_at 2026-04-08T12:55:00Z
8
value 0.00216
scoring_system epss
scoring_elements 0.44137
published_at 2026-04-07T12:55:00Z
9
value 0.00216
scoring_system epss
scoring_elements 0.44206
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26136
1
reference_url https://forum.silverstripe.org/c/releases
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://forum.silverstripe.org/c/releases
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26136
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26136
4
reference_url https://www.silverstripe.org/blog/tag/release
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.silverstripe.org/blog/tag/release
5
reference_url https://www.silverstripe.org/download/security-releases
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.silverstripe.org/download/security-releases
6
reference_url https://www.silverstripe.org/download/security-releases/
reference_id
reference_type
scores
url https://www.silverstripe.org/download/security-releases/
7
reference_url https://www.silverstripe.org/download/security-releases/cve-2020-26136
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.silverstripe.org/download/security-releases/cve-2020-26136
8
reference_url https://github.com/advisories/GHSA-mg2g-8pwj-r2j2
reference_id GHSA-mg2g-8pwj-r2j2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mg2g-8pwj-r2j2
fixed_packages
0
url pkg:composer/silverstripe/graphql@4.0.0-alpha2
purl pkg:composer/silverstripe/graphql@4.0.0-alpha2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0-alpha2
aliases CVE-2020-26136, GHSA-mg2g-8pwj-r2j2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ajga-3b99-yugh
Fixing_vulnerabilities
0
url VCID-zaty-jxqd-hyb4
vulnerability_id VCID-zaty-jxqd-hyb4
summary 
Uncontrolled Resource Consumption
silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40180
reference_id
reference_type
scores
0
value 0.0068
scoring_system epss
scoring_elements 0.71563
published_at 2026-04-04T12:55:00Z
1
value 0.0068
scoring_system epss
scoring_elements 0.71625
published_at 2026-04-18T12:55:00Z
2
value 0.0068
scoring_system epss
scoring_elements 0.71621
published_at 2026-04-16T12:55:00Z
3
value 0.0068
scoring_system epss
scoring_elements 0.71594
published_at 2026-04-12T12:55:00Z
4
value 0.0068
scoring_system epss
scoring_elements 0.7161
published_at 2026-04-11T12:55:00Z
5
value 0.0068
scoring_system epss
scoring_elements 0.71587
published_at 2026-04-09T12:55:00Z
6
value 0.0068
scoring_system epss
scoring_elements 0.71576
published_at 2026-04-13T12:55:00Z
7
value 0.0068
scoring_system epss
scoring_elements 0.71536
published_at 2026-04-07T12:55:00Z
8
value 0.0068
scoring_system epss
scoring_elements 0.71546
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40180
1
reference_url https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/
url https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries
2
reference_url https://github.com/silverstripe/silverstripe-graphql
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-graphql
3
reference_url https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/
url https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c
4
reference_url https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/
url https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40180
reference_id CVE-2023-40180
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40180
6
reference_url https://www.silverstripe.org/download/security-releases/CVE-2023-40180
reference_id CVE-2023-40180
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/
url https://www.silverstripe.org/download/security-releases/CVE-2023-40180
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml
reference_id CVE-2023-40180.YAML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml
8
reference_url https://github.com/advisories/GHSA-v23w-pppm-jh66
reference_id GHSA-v23w-pppm-jh66
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v23w-pppm-jh66
9
reference_url https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66
reference_id GHSA-v23w-pppm-jh66
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T17:21:23Z/
url https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66
fixed_packages
0
url pkg:composer/silverstripe/graphql@3.8.2
purl pkg:composer/silverstripe/graphql@3.8.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.8.2
1
url pkg:composer/silverstripe/graphql@4.0.0-alpha1
purl pkg:composer/silverstripe/graphql@4.0.0-alpha1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ajga-3b99-yugh
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0-alpha1
2
url pkg:composer/silverstripe/graphql@4.1.3
purl pkg:composer/silverstripe/graphql@4.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.3
3
url pkg:composer/silverstripe/graphql@4.2.5
purl pkg:composer/silverstripe/graphql@4.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.5
4
url pkg:composer/silverstripe/graphql@4.3.0-rc1
purl pkg:composer/silverstripe/graphql@4.3.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.0-rc1
5
url pkg:composer/silverstripe/graphql@4.3.4
purl pkg:composer/silverstripe/graphql@4.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.4
6
url pkg:composer/silverstripe/graphql@5.0.0-alpha1
purl pkg:composer/silverstripe/graphql@5.0.0-alpha1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.0-alpha1
7
url pkg:composer/silverstripe/graphql@5.0.3
purl pkg:composer/silverstripe/graphql@5.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.3
8
url pkg:composer/silverstripe/graphql@5.1.0-beta1
purl pkg:composer/silverstripe/graphql@5.1.0-beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.0-beta1
aliases CVE-2023-40180, GHSA-v23w-pppm-jh66
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zaty-jxqd-hyb4
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0-alpha1