Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/59690?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/59690?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@5.6.4", "type": "composer", "namespace": "grumpydictator", "name": "firefly-iii", "version": "5.6.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.1.17", "latest_non_vulnerable_version": "6.5.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44820?format=api", "vulnerability_id": "VCID-2xs8-eknt-gyap", "summary": "Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1789", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40597", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40593", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40513", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1789" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T16:44:17Z/" } ], "url": "https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/pull/7043", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii/pull/7043" }, { "reference_url": "https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T16:44:17Z/" } ], "url": "https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1789", "reference_id": "CVE-2023-1789", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1789" }, { "reference_url": "https://github.com/advisories/GHSA-mwxw-hxvp-4r2r", "reference_id": "GHSA-mwxw-hxvp-4r2r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwxw-hxvp-4r2r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64495?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@5.7.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-6ydw-rfb3-hbe3" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-t96s-982j-d3fr" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.7.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/64494?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@6.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xs8-eknt-gyap" }, { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64496?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@6.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.1" } ], "aliases": [ "CVE-2023-1789", "GHSA-mwxw-hxvp-4r2r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xs8-eknt-gyap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46788?format=api", "vulnerability_id": "VCID-5as2-q475-7fgv", "summary": "Firefly III allows webhooks HTML Injection.\nFirefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22075", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31784", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31815", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22075" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/commit/28021aa711500bbada649de8fab9e72b4084ab21", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii/commit/28021aa711500bbada649de8fab9e72b4084ab21" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-17T16:31:14Z/" } ], "url": "https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1" }, { "reference_url": "https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22075", "reference_id": "CVE-2024-22075", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22075" }, { "reference_url": "https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/", "reference_id": "front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-17T16:31:14Z/" } ], "url": "https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/" }, { "reference_url": "https://github.com/advisories/GHSA-vwv2-9wcj-64vx", "reference_id": "GHSA-vwv2-9wcj-64vx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vwv2-9wcj-64vx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68418?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@6.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.1" } ], "aliases": [ "CVE-2024-22075", "GHSA-vwv2-9wcj-64vx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5as2-q475-7fgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44864?format=api", "vulnerability_id": "VCID-6ydw-rfb3-hbe3", "summary": "Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1788", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00226", "scoring_system": "epss", "scoring_elements": "0.45393", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00226", "scoring_system": "epss", "scoring_elements": "0.45465", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00226", "scoring_system": "epss", "scoring_elements": "0.45462", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1788" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T20:41:29Z/" } ], "url": "https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30" }, { "reference_url": "https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T20:41:29Z/" } ], "url": "https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1788", "reference_id": "CVE-2023-1788", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1788" }, { "reference_url": "https://github.com/advisories/GHSA-h7vv-46p5-prmh", "reference_id": "GHSA-h7vv-46p5-prmh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h7vv-46p5-prmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64494?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@6.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xs8-eknt-gyap" }, { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.0" } ], "aliases": [ "CVE-2023-1788", "GHSA-h7vv-46p5-prmh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ydw-rfb3-hbe3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55372?format=api", "vulnerability_id": "VCID-jfps-wzcx-vyfj", "summary": "Firefly III has a MFA bypass in oauth flow\nA MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37893", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08453", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08441", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37893" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://owasp.org/www-community/attacks/Password_Spraying_Attack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/" } ], "url": "https://owasp.org/www-community/attacks/Password_Spraying_Attack" }, { "reference_url": "https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/" } ], "url": "https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37893", "reference_id": "CVE-2024-37893", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37893" }, { "reference_url": "https://github.com/advisories/GHSA-4gm4-c4mh-4p7w", "reference_id": "GHSA-4gm4-c4mh-4p7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4gm4-c4mh-4p7w" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w", "reference_id": "GHSA-4gm4-c4mh-4p7w", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/" } ], "url": "https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81870?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@6.1.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.17" } ], "aliases": [ "CVE-2024-37893", "GHSA-4gm4-c4mh-4p7w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jfps-wzcx-vyfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41809?format=api", "vulnerability_id": "VCID-pvmv-dy5p-pkbn", "summary": "firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4005", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36737", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36835", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36829", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4005" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053" }, { "reference_url": "https://huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ff", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4005", "reference_id": "CVE-2021-4005", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4005" }, { "reference_url": "https://github.com/advisories/GHSA-hjhp-hwfj-hwf3", "reference_id": "GHSA-hjhp-hwfj-hwf3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hjhp-hwfj-hwf3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59713?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@5.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xs8-eknt-gyap" }, { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-6ydw-rfb3-hbe3" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-t96s-982j-d3fr" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.5" } ], "aliases": [ "CVE-2021-4005", "GHSA-hjhp-hwfj-hwf3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvmv-dy5p-pkbn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54695?format=api", "vulnerability_id": "VCID-t96s-982j-d3fr", "summary": "Incorrect Authorization\nImproper Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0298", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.3723", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37327", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37322", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0298" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T18:41:12Z/" } ], "url": "https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4" }, { "reference_url": "https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T18:41:12Z/" } ], "url": "https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0298", "reference_id": "CVE-2023-0298", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0298" }, { "reference_url": "https://github.com/advisories/GHSA-7mc4-jp4f-v2j2", "reference_id": "GHSA-7mc4-jp4f-v2j2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7mc4-jp4f-v2j2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64493?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@5.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xs8-eknt-gyap" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.8.0" } ], "aliases": [ "CVE-2023-0298", "GHSA-7mc4-jp4f-v2j2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t96s-982j-d3fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46920?format=api", "vulnerability_id": "VCID-zyzb-95vu-bfbp", "summary": "C5 Firefly III CSV Injection.\n### Summary\nCSV injection is a vulnerability where untrusted user input in CSV files can lead to unauthorized access or data manipulation. \nIn my subsequent testing of the application.\n\n### Details\nI discovered that there is an option to \"Export Data\" from the web app to your personal computer, which exports a \"csv\" file that can be opened with Excel software that supports macros.\n\nP.S \nI discovered that the web application's is offering a demo-site that anyone may access to play with the web application. So, there's a chance that someone will export the data (CVS) from the demo site and execute it on their PC, giving the malicious actor a complete control over their machine. (if a user enters a malicious payload to the website).\n\n### PoC\nYou can check out my vulnerability report if you need more details/PoC with screenshots: (removed by JC5)\n\n### Impact\nAn attacker can exploit this by entering a specially crafted payload to one of the fields, and when a user export the csv file using the \"Export Data\" function, the attacker can potentiality can RCE.\n\n### Addendum by JC5, the developer of Firefly III\nThere is zero impact on normal users, even on vulnerable versions.", "references": [ { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/advisories/GHSA-29w6-c52g-m8jc", "reference_id": "GHSA-29w6-c52g-m8jc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-29w6-c52g-m8jc" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc", "reference_id": "GHSA-29w6-c52g-m8jc", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68662?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@6.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jfps-wzcx-vyfj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.7" } ], "aliases": [ "GHSA-29w6-c52g-m8jc", "GMS-2024-52" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zyzb-95vu-bfbp" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41787?format=api", "vulnerability_id": "VCID-vkg3-xm11-3qdh", "summary": "firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4015", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36835", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36829", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36737", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4015" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37" }, { "reference_url": "https://github.com/firefly-iii/firefly-iii/releases/tag/5.6.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/firefly-iii/firefly-iii/releases/tag/5.6.5" }, { "reference_url": "https://huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4015", "reference_id": "CVE-2021-4015", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4015" }, { "reference_url": "https://github.com/advisories/GHSA-g6vq-wc8w-4g69", "reference_id": "GHSA-g6vq-wc8w-4g69", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g6vq-wc8w-4g69" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59690?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@5.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xs8-eknt-gyap" }, { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-6ydw-rfb3-hbe3" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-pvmv-dy5p-pkbn" }, { "vulnerability": "VCID-t96s-982j-d3fr" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/59713?format=api", "purl": "pkg:composer/grumpydictator/firefly-iii@5.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2xs8-eknt-gyap" }, { "vulnerability": "VCID-5as2-q475-7fgv" }, { "vulnerability": "VCID-6ydw-rfb3-hbe3" }, { "vulnerability": "VCID-jfps-wzcx-vyfj" }, { "vulnerability": "VCID-t96s-982j-d3fr" }, { "vulnerability": "VCID-zyzb-95vu-bfbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.5" } ], "aliases": [ "CVE-2021-4015", "GHSA-g6vq-wc8w-4g69" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vkg3-xm11-3qdh" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.4" }