Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/670795?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/670795?format=api", "purl": "pkg:npm/%40keystone-6/core@5.5.0", "type": "npm", "namespace": "@keystone-6", "name": "core", "version": "5.5.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.5.2", "latest_non_vulnerable_version": "6.5.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91722?format=api", "vulnerability_id": "VCID-5kdx-3r3z-nye2", "summary": "@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix)\n# Summary \n`{field}.isFilterable` access control can be bypassed in `findMany` queries by passing a `cursor`. This can be used to confirm the existence of records by protected field values.\n\nThe fix for [CVE-2025-46720](https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3) (field-level `isFilterable` bypass for update and delete mutations) added checks to the `where` parameter in `update` and `delete` mutations however the `cursor` parameter in `findMany` was not patched and accepts the same `UniqueWhere` input type.\n\n# Impact \nThis affects any project relying on `isFilterable` behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. `isFilterable` access control using a function can be bypassed by using the `cursor` input.\n\nThis has no impact on projects using `isFilterable: false` or `defaultIsFilterable: false` for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)\n\n# Patches \nThis issue has been patched in `@keystone-6/core` version 6.5.2.\n\n# Workarounds \nTo mitigate this issue in older versions where patching is not a viable pathway.\n\n- Set `{field}.isFilterable: false` statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don't use functions)\n- Set `{field}.graphql.omit.read: true` for relevant fields, which implicitly removes filtering by these fields your GraphQL schema", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33326", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02287", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02261", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02293", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33326" }, { "reference_url": "https://github.com/keystonejs/keystone", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/keystonejs/keystone" }, { "reference_url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:37:00Z/" } ], "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33326", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33326" }, { "reference_url": "https://github.com/advisories/GHSA-cgcg-q9jh-5pr2", "reference_id": "GHSA-cgcg-q9jh-5pr2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgcg-q9jh-5pr2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114032?format=api", "purl": "pkg:npm/%40keystone-6/core@6.5.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@6.5.2" } ], "aliases": [ "CVE-2026-33326", "GHSA-cgcg-q9jh-5pr2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5kdx-3r3z-nye2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57251?format=api", "vulnerability_id": "VCID-gxmq-8d4q-xqdm", "summary": "Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields\n`{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields.\n\nSpecifically, when a mutation includes a `where` clause with multiple unique filters (e.g. `id` and `email`), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by `field.isFilterable` or `list.defaultIsFilterable`. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19513", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19556", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00062", "scoring_system": "epss", "scoring_elements": "0.19561", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46720" }, { "reference_url": "https://github.com/keystonejs/keystone", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/keystonejs/keystone" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46720", "reference_id": "CVE-2025-46720", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46720" }, { "reference_url": "https://github.com/advisories/GHSA-hg9m-67mm-7pg3", "reference_id": "GHSA-hg9m-67mm-7pg3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hg9m-67mm-7pg3" }, { "reference_url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3", "reference_id": "GHSA-hg9m-67mm-7pg3", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:59:54Z/" } ], "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85043?format=api", "purl": "pkg:npm/%40keystone-6/core@6.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kdx-3r3z-nye2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@6.5.0" } ], "aliases": [ "CVE-2025-46720", "GHSA-hg9m-67mm-7pg3" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gxmq-8d4q-xqdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45844?format=api", "vulnerability_id": "VCID-ppy6-36tw-sqft", "summary": "Missing Authorization\nKeystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40027", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00321", "scoring_system": "epss", "scoring_elements": "0.55421", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00321", "scoring_system": "epss", "scoring_elements": "0.55432", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00321", "scoring_system": "epss", "scoring_elements": "0.55427", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40027" }, { "reference_url": "https://github.com/keystonejs/keystone", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/keystonejs/keystone" }, { "reference_url": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/" } ], "url": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284" }, { "reference_url": "https://github.com/keystonejs/keystone/pull/8771", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/" } ], "url": "https://github.com/keystonejs/keystone/pull/8771" }, { "reference_url": "https://github.com/keystonejs/keystone/releases/tag/2023-08-15", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/keystonejs/keystone/releases/tag/2023-08-15" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40027", "reference_id": "CVE-2023-40027", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40027" }, { "reference_url": "https://github.com/advisories/GHSA-9cvc-v7wm-992c", "reference_id": "GHSA-9cvc-v7wm-992c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9cvc-v7wm-992c" }, { "reference_url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c", "reference_id": "GHSA-9cvc-v7wm-992c", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/" } ], "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66565?format=api", "purl": "pkg:npm/%40keystone-6/core@5.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5kdx-3r3z-nye2" }, { "vulnerability": "VCID-gxmq-8d4q-xqdm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.5.1" } ], "aliases": [ "CVE-2023-40027", "GHSA-9cvc-v7wm-992c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ppy6-36tw-sqft" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.5.0" }