Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/701547?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/701547?format=api", "purl": "pkg:npm/%40budibase/server@2.2.12-alpha.53", "type": "npm", "namespace": "@budibase", "name": "server", "version": "2.2.12-alpha.53", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.33.4", "latest_non_vulnerable_version": "3.38.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65980?format=api", "vulnerability_id": "VCID-dhet-rmkd-pqh6", "summary": "Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25041", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24115", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25041" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93", "reference_id": "9fdbff32fb9e69650ba899a799e13f80d9b09e93", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T20:31:29Z/" } ], "url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25041", "reference_id": "CVE-2026-25041", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25041" }, { "reference_url": "https://github.com/advisories/GHSA-726g-59wr-cj4c", "reference_id": "GHSA-726g-59wr-cj4c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-726g-59wr-cj4c" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c", "reference_id": "GHSA-726g-59wr-cj4c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T20:31:29Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c" }, { "reference_url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531", "reference_id": "postgres.ts#L529-L531", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-09T20:31:29Z/" } ], "url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40393?format=api", "purl": "pkg:npm/%40budibase/server@3.23.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-g5dd-gava-87ab" }, { "vulnerability": "VCID-kfvy-pknt-qbgv" }, { "vulnerability": "VCID-mpmj-pahy-23av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/server@3.23.32" } ], "aliases": [ "CVE-2026-25041", "GHSA-726g-59wr-cj4c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dhet-rmkd-pqh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71703?format=api", "vulnerability_id": "VCID-g5dd-gava-87ab", "summary": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35214", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19988", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35214" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35214", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35214" }, { "reference_url": "https://github.com/Budibase/budibase/pull/18240", "reference_id": "18240", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:04:18Z/" } ], "url": "https://github.com/Budibase/budibase/pull/18240" }, { "reference_url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "reference_id": "3.33.4", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:04:18Z/" } ], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4" }, { "reference_url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879", "reference_id": "6344d06d703660fd05995e61d581593c2349c879", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:04:18Z/" } ], "url": "https://github.com/Budibase/budibase/commit/6344d06d703660fd05995e61d581593c2349c879" }, { "reference_url": "https://github.com/advisories/GHSA-2wfh-rcwf-wh23", "reference_id": "GHSA-2wfh-rcwf-wh23", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2wfh-rcwf-wh23" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23", "reference_id": "GHSA-2wfh-rcwf-wh23", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:04:18Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-2wfh-rcwf-wh23" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373303?format=api", "purl": "pkg:npm/%40budibase/server@3.33.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/server@3.33.4" } ], "aliases": [ "CVE-2026-35214", "GHSA-2wfh-rcwf-wh23" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g5dd-gava-87ab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66082?format=api", "vulnerability_id": "VCID-kfvy-pknt-qbgv", "summary": "Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25044", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27005", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25044" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25044", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25044" }, { "reference_url": "https://github.com/Budibase/budibase/releases/tag/3.33.2", "reference_id": "3.33.2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-03T16:45:21Z/" } ], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.2" }, { "reference_url": "https://github.com/advisories/GHSA-gjw9-34gf-rp6m", "reference_id": "GHSA-gjw9-34gf-rp6m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gjw9-34gf-rp6m" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m", "reference_id": "GHSA-gjw9-34gf-rp6m", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-03T16:45:21Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-gjw9-34gf-rp6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373303?format=api", "purl": "pkg:npm/%40budibase/server@3.33.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/server@3.33.4" } ], "aliases": [ "CVE-2026-25044", "GHSA-gjw9-34gf-rp6m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kfvy-pknt-qbgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71866?format=api", "vulnerability_id": "VCID-mpmj-pahy-23av", "summary": "Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35216", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.56182", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35216" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35216", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35216" }, { "reference_url": "https://github.com/Budibase/budibase/pull/18238", "reference_id": "18238", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:46:19Z/" } ], "url": "https://github.com/Budibase/budibase/pull/18238" }, { "reference_url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "reference_id": "3.33.4", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:46:19Z/" } ], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4" }, { "reference_url": "https://github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4ac256", "reference_id": "f0c731b409a96e401445a6a6030d2994ff4ac256", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:46:19Z/" } ], "url": "https://github.com/Budibase/budibase/commit/f0c731b409a96e401445a6a6030d2994ff4ac256" }, { "reference_url": "https://github.com/advisories/GHSA-fcm4-4pj2-m5hf", "reference_id": "GHSA-fcm4-4pj2-m5hf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fcm4-4pj2-m5hf" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf", "reference_id": "GHSA-fcm4-4pj2-m5hf", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:46:19Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-fcm4-4pj2-m5hf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373303?format=api", "purl": "pkg:npm/%40budibase/server@3.33.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/server@3.33.4" } ], "aliases": [ "CVE-2026-35216", "GHSA-fcm4-4pj2-m5hf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mpmj-pahy-23av" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211721?format=api", "vulnerability_id": "VCID-wmea-cdfy-ffah", "summary": "Budibase affected by VM2 Constructor Escape Vulnerability", "references": [ { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://github.com/Budibase/budibase/commit/601c02a4acc695b1cc602bf611f0ae66d6e5868f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase/commit/601c02a4acc695b1cc602bf611f0ae66d6e5868f" }, { "reference_url": "https://github.com/advisories/GHSA-4g2x-vq5p-5vj6", "reference_id": "GHSA-4g2x-vq5p-5vj6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4g2x-vq5p-5vj6" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4g2x-vq5p-5vj6", "reference_id": "GHSA-4g2x-vq5p-5vj6", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4g2x-vq5p-5vj6" }, { "reference_url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5", "reference_id": "GHSA-cchq-frgv-rjh5", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29489?format=api", "purl": "pkg:npm/%40budibase/server@2.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dhet-rmkd-pqh6" }, { "vulnerability": "VCID-g5dd-gava-87ab" }, { "vulnerability": "VCID-kfvy-pknt-qbgv" }, { "vulnerability": "VCID-mpmj-pahy-23av" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/server@2.20.0" } ], "aliases": [ "GHSA-4g2x-vq5p-5vj6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wmea-cdfy-ffah" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/server@2.2.12-alpha.53" }