Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/65067?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/65067?format=api", "purl": "pkg:composer/craftcms/cms@3.0.0", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "3.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.0.2", "latest_non_vulnerable_version": "5.9.9", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49586?format=api", "vulnerability_id": "VCID-5mnd-qvaq-k3am", "summary": "Unauthenticated Craft CMS users can trigger a database backup\nUnauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:\n\nhttps://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456", "reference_id": "CVE-2025-68456", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456" }, { "reference_url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73170?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68456", "GHSA-v64r-7wg9-23pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45141?format=api", "vulnerability_id": "VCID-6hcd-ayyh-3fdb", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms.", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442" }, { "reference_url": "https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764" }, { "reference_url": "https://github.com/advisories/GHSA-j4mx-98hw-6rv6", "reference_id": "GHSA-j4mx-98hw-6rv6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j4mx-98hw-6rv6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6", "reference_id": "GHSA-j4mx-98hw-6rv6", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65071?format=api", "purl": "pkg:composer/craftcms/cms@3.8.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/65072?format=api", "purl": "pkg:composer/craftcms/cms@4.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.4" } ], "aliases": [ "CVE-2023-31144", "GHSA-j4mx-98hw-6rv6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6hcd-ayyh-3fdb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45893?format=api", "vulnerability_id": "VCID-ec34-nvn3-qbcb", "summary": "Craft CMS vulnerable to Remote Code Execution via validatePath bypass\nBypassing the validatePath function can lead to potential Remote Code Execution\n(Post-authentication, ALLOW_ADMIN_CHANGES=true)", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/3.8.15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/releases/tag/3.8.15" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/releases/tag/4.4.15" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40035", "reference_id": "CVE-2023-40035", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40035" }, { "reference_url": "https://github.com/advisories/GHSA-44wr-rmwq-3phw", "reference_id": "GHSA-44wr-rmwq-3phw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-44wr-rmwq-3phw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw", "reference_id": "GHSA-44wr-rmwq-3phw", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66617?format=api", "purl": "pkg:composer/craftcms/cms@3.8.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/66616?format=api", "purl": "pkg:composer/craftcms/cms@4.4.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15" } ], "aliases": [ "CVE-2023-40035", "GHSA-44wr-rmwq-3phw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ec34-nvn3-qbcb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45282?format=api", "vulnerability_id": "VCID-hm7h-7cu3-8be1", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.4.6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/releases/tag/4.4.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33194", "reference_id": "CVE-2023-33194", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33194" }, { "reference_url": "https://github.com/advisories/GHSA-3wxg-w96j-8hq9", "reference_id": "GHSA-3wxg-w96j-8hq9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3wxg-w96j-8hq9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9", "reference_id": "GHSA-3wxg-w96j-8hq9", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65251?format=api", "purl": "pkg:composer/craftcms/cms@3.8.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/65150?format=api", "purl": "pkg:composer/craftcms/cms@4.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2vn9-2cs3-vbg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6" } ], "aliases": [ "CVE-2023-33194", "GHSA-3wxg-w96j-8hq9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hm7h-7cu3-8be1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46777?format=api", "vulnerability_id": "VCID-jhen-vhqx-n7dr", "summary": "Improper Privilege Management\nCraft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.", "references": [ { "reference_url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16" }, { "reference_url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16" }, { "reference_url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa" }, { "reference_url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843" }, { "reference_url": "https://github.com/craftcms/cms/pull/13931", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/pull/13931" }, { "reference_url": "https://github.com/craftcms/cms/pull/13932", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/pull/13932" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21622", "reference_id": "CVE-2024-21622", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21622" }, { "reference_url": "https://github.com/advisories/GHSA-j5g9-j7r4-6qvx", "reference_id": "GHSA-j5g9-j7r4-6qvx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j5g9-j7r4-6qvx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "reference_id": "GHSA-j5g9-j7r4-6qvx", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68405?format=api", "purl": "pkg:composer/craftcms/cms@3.9.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/68406?format=api", "purl": "pkg:composer/craftcms/cms@4.5.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11" } ], "aliases": [ "CVE-2024-21622", "GHSA-j5g9-j7r4-6qvx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jhen-vhqx-n7dr" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.0.0" }