Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68173?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68173?format=api", "purl": "pkg:nuget/Umbraco.CMS@10.0.0", "type": "nuget", "namespace": "", "name": "Umbraco.CMS", "version": "10.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46618?format=api", "vulnerability_id": "VCID-2exh-k5tm-r3cy", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nUmbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48313", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.69098", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48313" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/umbraco/Umbraco-CMS" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48313", "reference_id": "CVE-2023-48313", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48313" }, { "reference_url": "https://github.com/advisories/GHSA-v98m-398x-269r", "reference_id": "GHSA-v98m-398x-269r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v98m-398x-269r" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-v98m-398x-269r", "reference_id": "GHSA-v98m-398x-269r", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T14:45:15Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-v98m-398x-269r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68158?format=api", "purl": "pkg:nuget/Umbraco.CMS@10.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@10.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68159?format=api", "purl": "pkg:nuget/Umbraco.CMS@12.3.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@12.3.4" } ], "aliases": [ "CVE-2023-48313", "GHSA-v98m-398x-269r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2exh-k5tm-r3cy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56042?format=api", "vulnerability_id": "VCID-e5g9-xgrk-eqaf", "summary": "Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice\nThere is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48927", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02013", "scoring_system": "epss", "scoring_elements": "0.84061", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48927" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/umbraco/Umbraco-CMS" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48927", "reference_id": "CVE-2024-48927", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48927" }, { "reference_url": "https://github.com/advisories/GHSA-5955-cwv4-h7qh", "reference_id": "GHSA-5955-cwv4-h7qh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5955-cwv4-h7qh" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh", "reference_id": "GHSA-5955-cwv4-h7qh", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-22T16:05:35Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83018?format=api", "purl": "pkg:nuget/Umbraco.CMS@10.8.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@10.8.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/83017?format=api", "purl": "pkg:nuget/Umbraco.CMS@13.5.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@13.5.2" } ], "aliases": [ "CVE-2024-48927", "GHSA-5955-cwv4-h7qh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e5g9-xgrk-eqaf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49383?format=api", "vulnerability_id": "VCID-nhwe-aq8z-ryhn", "summary": "Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality\nDue to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents.\n\nIn certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. The direct impact of this vulnerability is therefore limited to confidentiality, which is reflected in its CVSS base score of 4.9\n\nWhile the CVSS Base Score captures only the immediate effect, the practical risk varies significantly based on hosting environment and identity configuration. Umbraco Cloud sites run under low-privilege, isolated Azure App Service worker identities, which mitigates the impact of any credential exposure. In contrast, self-hosted deployments could run Umbraco using privileged local or domain accounts. If such an account’s NTLM hash is disclosed, an attacker may be able to:\n- Perform NTLM relay attacks\n- Crack the hash offline to recover the underlying password\n- Authenticate as the compromised identity\n- Access internal systems trusted by that identity\n- Move laterally within the network\n- Potentially escalate to full domain compromise in weakly segmented environments\n\nThese outcomes are not part of the CVSS base score, which only rates the immediate confidentiality impact, but represent realistic downstream consequences for installations using elevated or widely-trusted service accounts. Self-hosted environments running Umbraco under privileged identities are therefore at significantly higher risk.\n\nVulnerability found and reported by Tomasz Holeksa at Pentest Limited", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66625", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12948", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66625" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/umbraco/Umbraco-CMS" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/commit/7505efd433189037f46547932d4a8b603fd4a615", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-12T20:33:00Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/commit/7505efd433189037f46547932d4a8b603fd4a615" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66625", "reference_id": "CVE-2025-66625", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66625" }, { "reference_url": "https://github.com/advisories/GHSA-hfv2-pf68-m33x", "reference_id": "GHSA-hfv2-pf68-m33x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hfv2-pf68-m33x" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x", "reference_id": "GHSA-hfv2-pf68-m33x", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-12T20:33:00Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72855?format=api", "purl": "pkg:nuget/Umbraco.CMS@13.12.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@13.12.1" } ], "aliases": [ "CVE-2025-66625", "GHSA-hfv2-pf68-m33x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhwe-aq8z-ryhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57526?format=api", "vulnerability_id": "VCID-yhat-ry32-fqf5", "summary": "Umbraco CMS disclosure of configured password requirements\nVia a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password.\n\nThe vulnerability can be found in the supported Umbraco versions 10 and 13. It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49147", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46969", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49147" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/umbraco/Umbraco-CMS" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-24T18:08:37Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/commit/d8f68d2c40f8e158bd81d469f25ef3a4e1d86c4c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-24T18:08:37Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/commit/d8f68d2c40f8e158bd81d469f25ef3a4e1d86c4c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49147", "reference_id": "CVE-2025-49147", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49147" }, { "reference_url": "https://github.com/advisories/GHSA-pgvc-6h2p-q4f6", "reference_id": "GHSA-pgvc-6h2p-q4f6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pgvc-6h2p-q4f6" }, { "reference_url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-pgvc-6h2p-q4f6", "reference_id": "GHSA-pgvc-6h2p-q4f6", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-24T18:08:37Z/" } ], "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-pgvc-6h2p-q4f6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85575?format=api", "purl": "pkg:nuget/Umbraco.CMS@10.8.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@10.8.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/85576?format=api", "purl": "pkg:nuget/Umbraco.CMS@13.9.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@13.9.2" } ], "aliases": [ "CVE-2025-49147", "GHSA-pgvc-6h2p-q4f6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yhat-ry32-fqf5" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@10.0.0" }