Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/6580?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "type": "npm", "namespace": "", "name": "swagger-ui", "version": "2.2.1", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.23.11", "latest_non_vulnerable_version": "4.1.3", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53041?format=api", "vulnerability_id": "VCID-3hsn-22rw-7kay", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nSwagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5682.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5682.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-5682", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.5156", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-5682" }, { "reference_url": "https://community.rapid7.com/community/infosec/blog/2016/09/02/r7-2016-19-persistent-xss-via-unescaped-parameters-in-swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://community.rapid7.com/community/infosec/blog/2016/09/02/r7-2016-19-persistent-xss-via-unescaped-parameters-in-swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1865", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1865" }, { "reference_url": "https://www.npmjs.com/advisories/126", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/126" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1443546", "reference_id": "1443546", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1443546" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5682", "reference_id": "CVE-2016-5682", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5682" }, { "reference_url": "https://github.com/advisories/GHSA-p239-93f7-h6xf", "reference_id": "GHSA-p239-93f7-h6xf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p239-93f7-h6xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "CVE-2016-5682", "GHSA-p239-93f7-h6xf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3hsn-22rw-7kay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30537?format=api", "vulnerability_id": "VCID-5918-w4jq-rka8", "summary": "XSS in Consumes/Produces Parameter\nSwagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data.\n\nSwagger-UI version 2.1.4 contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger json document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`.\n\n To exploit the vulnerability, an attacker would convince a user to visit a malicious url crafted in the following format:\n ```\nhttp://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json\n````\n\nThis issue is being disclosed before a public patched release is available due to the issue being made public in a Github issue.", "references": [ { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1866", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1866" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/pull/1867", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/pull/1867" }, { "reference_url": "https://www.npmjs.com/advisories/123", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/123" }, { "reference_url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/123.json", "reference_id": "123", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/123.json" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000226", "reference_id": "CVE-2016-1000226", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000226" }, { "reference_url": "https://github.com/advisories/GHSA-7f59-x49p-v8mq", "reference_id": "GHSA-7f59-x49p-v8mq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7f59-x49p-v8mq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6578?format=api", "purl": "pkg:npm/swagger-ui@2.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hsn-22rw-7kay" }, { "vulnerability": "VCID-5918-w4jq-rka8" }, { "vulnerability": "VCID-fc6y-84x3-8bgu" }, { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-hvuf-t6m7-fuhh" }, { "vulnerability": "VCID-mjr2-z5x4-e3bs" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-r28p-re5d-uya7" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" }, { "vulnerability": "VCID-znja-a329-yyh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.1.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "CVE-2016-1000226", "GHSA-7f59-x49p-v8mq", "GMS-2020-783" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5918-w4jq-rka8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53572?format=api", "vulnerability_id": "VCID-fc6y-84x3-8bgu", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.", "references": [ { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1864", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1864" }, { "reference_url": "https://www.npmjs.com/advisories/986", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/986" }, { "reference_url": "https://github.com/advisories/GHSA-vp93-gcx5-4w52", "reference_id": "GHSA-vp93-gcx5-4w52", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vp93-gcx5-4w52" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "GHSA-vp93-gcx5-4w52", "GMS-2020-786" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fc6y-84x3-8bgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53560?format=api", "vulnerability_id": "VCID-hvuf-t6m7-fuhh", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.", "references": [ { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/830", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/830" }, { "reference_url": "https://www.npmjs.com/advisories/988", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/988" }, { "reference_url": "https://github.com/advisories/GHSA-w992-2gmj-9xxj", "reference_id": "GHSA-w992-2gmj-9xxj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w992-2gmj-9xxj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "GHSA-w992-2gmj-9xxj", "GMS-2020-787" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hvuf-t6m7-fuhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52988?format=api", "vulnerability_id": "VCID-mjr2-z5x4-e3bs", "summary": "Cross-Site Scripting in swagger-ui\nAffected versions of `swagger-ui` are vulnerable to cross-site scripting via the `url` query string parameter.\n\n\n## Recommendation\n\nUpdate to 2.2.1 or later.", "references": [ { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/commit/a1aea70f2c64533bf053a41d4da5a8accd0117b7", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/commit/a1aea70f2c64533bf053a41d4da5a8accd0117b7" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1617", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1617" }, { "reference_url": "https://www.npmjs.com/advisories/137", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/137" }, { "reference_url": "https://github.com/advisories/GHSA-g336-c7wv-8hp3", "reference_id": "GHSA-g336-c7wv-8hp3", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g336-c7wv-8hp3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "GHSA-g336-c7wv-8hp3", "GMS-2020-784" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mjr2-z5x4-e3bs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30542?format=api", "vulnerability_id": "VCID-r28p-re5d-uya7", "summary": "XSS via Content-type header\nBy using a malicious server which returns script as the value of the Content-Type header, it is possible to execute arbitrary code using the demonstration capabilities of Swagger-UI.", "references": [ { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/commit/331d2be070d89162aa3174a8773ae4a0093f78bc", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/commit/331d2be070d89162aa3174a8773ae4a0093f78bc" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1863", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1863" }, { "reference_url": "https://www.npmjs.com/advisories/131", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/131" }, { "reference_url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/131.json", "reference_id": "131", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/131.json" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000233", "reference_id": "CVE-2016-1000233", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000233" }, { "reference_url": "https://github.com/advisories/GHSA-mrx7-8hxf-f853", "reference_id": "GHSA-mrx7-8hxf-f853", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mrx7-8hxf-f853" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6578?format=api", "purl": "pkg:npm/swagger-ui@2.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hsn-22rw-7kay" }, { "vulnerability": "VCID-5918-w4jq-rka8" }, { "vulnerability": "VCID-fc6y-84x3-8bgu" }, { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-hvuf-t6m7-fuhh" }, { "vulnerability": "VCID-mjr2-z5x4-e3bs" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-r28p-re5d-uya7" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" }, { "vulnerability": "VCID-znja-a329-yyh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.1.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "CVE-2016-1000233", "GHSA-mrx7-8hxf-f853", "GMS-2020-785" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r28p-re5d-uya7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30539?format=api", "vulnerability_id": "VCID-sp5n-ncjd-rkft", "summary": "XSS in key names\nSwagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data.\n\nSwagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document:\n```\n .definitions.<USER_DEFINED>.properties.<INJECTABLE_KEY_NAME>\n```\nSupplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the `URL` query-string parameter.\n\nThis advisory is being disclosed before a public patched release is available because of a public Github issue documenting the vulnerability.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0868", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2017:0868" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000229.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000229.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-1000229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04978", "scoring_system": "epss", "scoring_elements": "0.89865", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-1000229" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000229", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000229" }, { "reference_url": "https://en.wikipedia.org/wiki/Content_Security_Policy", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://en.wikipedia.org/wiki/Content_Security_Policy" }, { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1865", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1865" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229" }, { "reference_url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/126.json", "reference_id": "126", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/126.json" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275", "reference_id": "1360275", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275" }, { "reference_url": "https://github.com/advisories/GHSA-h8wp-wgcq-qhrf", "reference_id": "GHSA-h8wp-wgcq-qhrf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h8wp-wgcq-qhrf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" } ], "aliases": [ "CVE-2016-1000229", "GHSA-h8wp-wgcq-qhrf" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sp5n-ncjd-rkft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53571?format=api", "vulnerability_id": "VCID-znja-a329-yyh9", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.", "references": [ { "reference_url": "https://github.com/swagger-api/swagger-ui", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui" }, { "reference_url": "https://github.com/swagger-api/swagger-ui/issues/1154", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/swagger-api/swagger-ui/issues/1154" }, { "reference_url": "https://www.npmjs.com/advisories/987", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/987" }, { "reference_url": "https://github.com/advisories/GHSA-22q9-hqm5-mhmc", "reference_id": "GHSA-22q9-hqm5-mhmc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-22q9-hqm5-mhmc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6580?format=api", "purl": "pkg:npm/swagger-ui@2.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/52843?format=api", "purl": "pkg:npm/swagger-ui@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gdhu-jxfv-k7a9" }, { "vulnerability": "VCID-h64t-4k96-h7d4" }, { "vulnerability": "VCID-mpx5-7r4y-77a9" }, { "vulnerability": "VCID-wfzu-tsmb-nqf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.2" } ], "aliases": [ "GHSA-22q9-hqm5-mhmc", "GMS-2020-780" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-znja-a329-yyh9" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/swagger-ui@2.2.1" }