Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/73169?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "5.8.21", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "5.8.22", "latest_non_vulnerable_version": "5.9.9", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49573?format=api", "vulnerability_id": "VCID-1468-4fdx-kbfr", "summary": "Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454", "reference_id": "CVE-2025-68454", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454" }, { "reference_url": "https://github.com/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-742x-x762-7383" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73170?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68454", "GHSA-742x-x762-7383" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1468-4fdx-kbfr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49572?format=api", "vulnerability_id": "VCID-1mb5-28xp-ckd2", "summary": "Craft CMS vulnerable to potential information disclosure via unchecked asset relocation\nAuthenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\n Resources:\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436", "reference_id": "CVE-2025-68436", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436" }, { "reference_url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73170?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68436", "GHSA-53vf-c43h-j2x9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1mb5-28xp-ckd2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49586?format=api", "vulnerability_id": "VCID-5mnd-qvaq-k3am", "summary": "Unauthenticated Craft CMS users can trigger a database backup\nUnauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:\n\nhttps://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456", "reference_id": "CVE-2025-68456", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456" }, { "reference_url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73170?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68456", "GHSA-v64r-7wg9-23pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49581?format=api", "vulnerability_id": "VCID-7y4f-ef7t-47eb", "summary": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4) The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7" }, { "reference_url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef" }, { "reference_url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455", "reference_id": "CVE-2025-68455", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455" }, { "reference_url": "https://github.com/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73170?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68455", "GHSA-255j-qw47-wjh5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7y4f-ef7t-47eb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49561?format=api", "vulnerability_id": "VCID-rb7c-3nkc-gkeg", "summary": "Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation\nThe Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.\n\nUsers should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:\n\nhttps://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437", "reference_id": "CVE-2025-68437", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437" }, { "reference_url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73170?format=api", "purl": "pkg:composer/craftcms/cms@4.16.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/73169?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68437", "GHSA-x27p-wfqw-hfcc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rb7c-3nkc-gkeg" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" }