Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/582419?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "type": "deb", "namespace": "debian", "name": "dnsdist", "version": "2.0.3-1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.4-1", "latest_non_vulnerable_version": "2.0.4-1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353755?format=api", "vulnerability_id": "VCID-1mgq-74b9-4bcg", "summary": "A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01113", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01245", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33595" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33595", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33595" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:40:24Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33595" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1mgq-74b9-4bcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353731?format=api", "vulnerability_id": "VCID-744k-b7s7-kbh5", "summary": "A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33599", "reference_id": "", "reference_type": "", "scores": [ { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00277", "published_at": "2026-04-24T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00302", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33599" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33599", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33599" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:50:15Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33599" ], "risk_score": 0.8, "exploitability": "0.5", "weighted_severity": "1.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-744k-b7s7-kbh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353732?format=api", "vulnerability_id": "VCID-7xds-447f-qufr", "summary": "A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33596", "reference_id": "", "reference_type": "", "scores": [ { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00279", "published_at": "2026-04-24T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00277", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33596" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33596", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33596" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:43:12Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33596" ], "risk_score": 0.8, "exploitability": "0.5", "weighted_severity": "1.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7xds-447f-qufr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353745?format=api", "vulnerability_id": "VCID-a65j-y7z3-fudk", "summary": "A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33602", "reference_id": "", "reference_type": "", "scores": [ { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00235", "published_at": "2026-04-24T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00261", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33602" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33602", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33602" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:46:39Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33602" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a65j-y7z3-fudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353736?format=api", "vulnerability_id": "VCID-afun-gxhy-rbed", "summary": "A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33593", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05546", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05905", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33593" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33593", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33593" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:29:04Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33593" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-afun-gxhy-rbed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353753?format=api", "vulnerability_id": "VCID-chzq-qej6-rkdq", "summary": "An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33257", "reference_id": "", "reference_type": "", "scores": [ { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00992", "published_at": "2026-04-26T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00988", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33257" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33257", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33257" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html", "reference_id": "powerdns-advisory-2026-05.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:54:48Z/" } ], "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:54:48Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" }, { "reference_url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html", "reference_id": "powerdns-advisory-powerdns-2026-03.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:54:48Z/" } ], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33257" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-chzq-qej6-rkdq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353749?format=api", "vulnerability_id": "VCID-fbsf-bbw7-kyah", "summary": "PRSD detection denial of service", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33597", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01911", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.0215", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33597" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33597", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33597" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:41:11Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33597" ], "risk_score": 0.9, "exploitability": "0.5", "weighted_severity": "1.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fbsf-bbw7-kyah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353743?format=api", "vulnerability_id": "VCID-nrex-hpxg-ekhs", "summary": "A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01113", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01245", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33594" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33594", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33594" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:36:44Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33594" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nrex-hpxg-ekhs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353751?format=api", "vulnerability_id": "VCID-pfhu-1qdf-p7d5", "summary": "An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33260", "reference_id": "", "reference_type": "", "scores": [ { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00992", "published_at": "2026-04-26T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00988", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33260" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33260", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33260" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html", "reference_id": "powerdns-advisory-2026-05.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:54:50Z/" } ], "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:54:50Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" }, { "reference_url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html", "reference_id": "powerdns-advisory-powerdns-2026-03.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:54:50Z/" } ], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33260" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pfhu-1qdf-p7d5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353741?format=api", "vulnerability_id": "VCID-qc7c-1d8j-hfha", "summary": "A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33598", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01254", "published_at": "2026-04-26T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.01005", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33598" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33598", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33598" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:49:38Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33598" ], "risk_score": 1.2, "exploitability": "0.5", "weighted_severity": "2.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qc7c-1d8j-hfha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/353746?format=api", "vulnerability_id": "VCID-ytdy-s1ug-dkh7", "summary": "An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33254", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01103", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01109", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33254" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33254", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33254" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-04.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:51:24Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076495?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.4-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.4-1" } ], "aliases": [ "CVE-2026-33254" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ytdy-s1ug-dkh7" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97050?format=api", "vulnerability_id": "VCID-3qce-a24m-yue1", "summary": "An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27853", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03035", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0535", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05319", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06466", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06382", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0643", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06473", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0646", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06449", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.06907", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0701", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.06891", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07026", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27853" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27853", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27853" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:14:03Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-27853" ], "risk_score": 1.5, "exploitability": "0.5", "weighted_severity": "3.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3qce-a24m-yue1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97023?format=api", "vulnerability_id": "VCID-atx2-yc9p-g3c7", "summary": "An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24030", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01868", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01856", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02867", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02893", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02894", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02891", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02919", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02872", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03302", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03414", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03429", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03313", "published_at": "2026-04-18T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00981", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24030" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24030", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24030" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:14:53Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-24030" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-atx2-yc9p-g3c7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97022?format=api", "vulnerability_id": "VCID-c7az-aw1f-4yah", "summary": "When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24029", "reference_id": "", "reference_type": "", "scores": [ { "value": "2e-05", "scoring_system": "epss", "scoring_elements": "0.0006", "published_at": "2026-04-26T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00061", "published_at": "2026-04-02T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.0009", "published_at": "2026-04-09T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00091", "published_at": "2026-04-13T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00103", "published_at": "2026-04-18T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00105", "published_at": "2026-04-24T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.0006", "published_at": "2026-04-04T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00089", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24029" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24029", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24029" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:15:34Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-24029" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c7az-aw1f-4yah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96979?format=api", "vulnerability_id": "VCID-gx8g-nvhj-1kak", "summary": "When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0397", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01085", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01083", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01499", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01266", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01272", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01276", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01258", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01252", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01254", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01412", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01398", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01506", "published_at": "2026-04-24T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00522", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0397" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0397", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0397" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:19:54Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-0397" ], "risk_score": 0.8, "exploitability": "0.5", "weighted_severity": "1.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gx8g-nvhj-1kak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97021?format=api", "vulnerability_id": "VCID-rf53-w9k3-7ych", "summary": "An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24028", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01868", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01856", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03035", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02893", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02894", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02919", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02891", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02872", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02867", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02917", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02907", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03033", "published_at": "2026-04-24T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00901", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24028" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24028", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24028" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:18:03Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-24028" ], "risk_score": 1.3, "exploitability": "0.5", "weighted_severity": "2.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rf53-w9k3-7ych" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97051?format=api", "vulnerability_id": "VCID-szpa-skfv-bygh", "summary": "An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27854", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01334", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01353", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01352", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0134", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01336", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01349", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02907", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02917", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03035", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03033", "published_at": "2026-04-24T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00901", "published_at": "2026-04-26T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.0095", "published_at": "2026-04-02T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00951", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27854" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27854", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27854" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:12:37Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-27854" ], "risk_score": 1.2, "exploitability": "0.5", "weighted_severity": "2.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-szpa-skfv-bygh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96978?format=api", "vulnerability_id": "VCID-x5p9-vthx-tud8", "summary": "An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0396", "reference_id": "", "reference_type": "", "scores": [ { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00135", "published_at": "2026-04-04T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00134", "published_at": "2026-04-02T12:55:00Z" }, { "value": "3e-05", "scoring_system": "epss", "scoring_elements": "0.00103", "published_at": "2026-04-26T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00148", "published_at": "2026-04-09T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00156", "published_at": "2026-04-18T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00157", "published_at": "2026-04-21T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.0016", "published_at": "2026-04-24T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00149", "published_at": "2026-04-13T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.0015", "published_at": "2026-04-11T12:55:00Z" }, { "value": "4e-05", "scoring_system": "epss", "scoring_elements": "0.00155", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0396" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0396", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0396" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html", "reference_id": "powerdns-advisory-for-dnsdist-2026-02.html", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:21:05Z/" } ], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/582419?format=api", "purl": "pkg:deb/debian/dnsdist@2.0.3-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mgq-74b9-4bcg" }, { "vulnerability": "VCID-744k-b7s7-kbh5" }, { "vulnerability": "VCID-7xds-447f-qufr" }, { "vulnerability": "VCID-a65j-y7z3-fudk" }, { "vulnerability": "VCID-afun-gxhy-rbed" }, { "vulnerability": "VCID-chzq-qej6-rkdq" }, { "vulnerability": "VCID-fbsf-bbw7-kyah" }, { "vulnerability": "VCID-nrex-hpxg-ekhs" }, { "vulnerability": "VCID-pfhu-1qdf-p7d5" }, { "vulnerability": "VCID-qc7c-1d8j-hfha" }, { "vulnerability": "VCID-ytdy-s1ug-dkh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" } ], "aliases": [ "CVE-2026-0396" ], "risk_score": 0.8, "exploitability": "0.5", "weighted_severity": "1.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x5p9-vthx-tud8" } ], "risk_score": "1.9", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/dnsdist@2.0.3-1" }