Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/706691?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/706691?format=api", "purl": "pkg:composer/flarum/framework@1.8.3", "type": "composer", "namespace": "flarum", "name": "framework", "version": "1.8.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.8.10", "latest_non_vulnerable_version": "2.0.0-beta.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46789?format=api", "vulnerability_id": "VCID-akuy-drq1-hkap", "summary": "Flarum's logout Route allows open redirects\nThe Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation.\n\nSome ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21641", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.37939", "scoring_system": "epss", "scoring_elements": "0.97301", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.37939", "scoring_system": "epss", "scoring_elements": "0.973", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.39082", "scoring_system": "epss", "scoring_elements": "0.9736", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21641" }, { "reference_url": "https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/" } ], "url": "https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a" }, { "reference_url": "https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/" } ], "url": "https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21641", "reference_id": "CVE-2024-21641", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21641" }, { "reference_url": "https://github.com/advisories/GHSA-733r-8xcp-w9mr", "reference_id": "GHSA-733r-8xcp-w9mr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-733r-8xcp-w9mr" }, { "reference_url": "https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr", "reference_id": "GHSA-733r-8xcp-w9mr", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:54Z/" } ], "url": "https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68419?format=api", "purl": "pkg:composer/flarum/framework@1.8.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vthb-u9cs-ckak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/framework@1.8.5" } ], "aliases": [ "CVE-2024-21641", "GHSA-733r-8xcp-w9mr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-akuy-drq1-hkap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56795?format=api", "vulnerability_id": "VCID-vthb-u9cs-ckak", "summary": "Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite\nA session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication.\n\n**Key Constraints**:\n- Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`).\n- Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/).\n\nDue to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27794", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59628", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59638", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59635", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27794" }, { "reference_url": "https://github.com/flarum/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/flarum/framework" }, { "reference_url": "https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/" } ], "url": "https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402" }, { "reference_url": "https://github.com/flarum/framework/releases/tag/v1.8.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/" } ], "url": "https://github.com/flarum/framework/releases/tag/v1.8.10" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27794", "reference_id": "CVE-2025-27794", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27794" }, { "reference_url": "https://github.com/advisories/GHSA-hg9j-64wp-m9px", "reference_id": "GHSA-hg9j-64wp-m9px", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hg9j-64wp-m9px" }, { "reference_url": "https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px", "reference_id": "GHSA-hg9j-64wp-m9px", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-12T15:26:50Z/" } ], "url": "https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84364?format=api", "purl": "pkg:composer/flarum/framework@1.8.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/framework@1.8.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/807723?format=api", "purl": "pkg:composer/flarum/framework@2.0.0-beta.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/framework@2.0.0-beta.1" } ], "aliases": [ "CVE-2025-27794", "GHSA-hg9j-64wp-m9px" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vthb-u9cs-ckak" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/flarum/framework@1.8.3" }