Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/66589?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/66589?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@None", "type": "maven", "namespace": "ai.h2o", "name": "h2o-core", "version": "None", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18838?format=api", "vulnerability_id": "VCID-3efh-977a-3kcc", "summary": "S3 Bucket can lead to spread of malicious R package\nH2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6017", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00194", "scoring_system": "epss", "scoring_elements": "0.41212", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6017" }, { "reference_url": "https://huntr.com/bounties/6a69952f-a1ba-4dee-9d8c-e87f52508b58", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.com/bounties/6a69952f-a1ba-4dee-9d8c-e87f52508b58" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6017", "reference_id": "CVE-2023-6017", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6017" } ], "fixed_packages": [], "aliases": [ "CVE-2023-6017" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3efh-977a-3kcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18840?format=api", "vulnerability_id": "VCID-5tbd-y3w9-2qf2", "summary": "Improper Control of Generation of Code ('Code Injection')\nAn attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6016", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.68243", "scoring_system": "epss", "scoring_elements": "0.98622", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6016" }, { "reference_url": "https://huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6016", "reference_id": "CVE-2023-6016", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6016" } ], "fixed_packages": [], "aliases": [ "CVE-2023-6016" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tbd-y3w9-2qf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18839?format=api", "vulnerability_id": "VCID-hn24-c4ke-b3bx", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nH2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6013", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47524", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6013" }, { "reference_url": "https://huntr.com/bounties/9881569f-dc2a-437e-86b0-20d4b70ae7af", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.com/bounties/9881569f-dc2a-437e-86b0-20d4b70ae7af" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6013", "reference_id": "CVE-2023-6013", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6013" } ], "fixed_packages": [], "aliases": [ "CVE-2023-6013" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hn24-c4ke-b3bx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18829?format=api", "vulnerability_id": "VCID-rq23-bb5q-sug7", "summary": "Missing Authorization\nAn attacker is able to read any file on the server hosting the H2O dashboard without any authentication.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6038", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.63282", "scoring_system": "epss", "scoring_elements": "0.98424", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6038" }, { "reference_url": "https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6038", "reference_id": "CVE-2023-6038", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6038" } ], "fixed_packages": [], "aliases": [ "CVE-2023-6038" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rq23-bb5q-sug7" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@None" }