Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/73556?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/73556?format=api", "purl": "pkg:maven/org.keycloak/keycloak-services@26.5.2", "type": "maven", "namespace": "org.keycloak", "name": "keycloak-services", "version": "26.5.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49846?format=api", "vulnerability_id": "VCID-s9bw-xmnt-xqbp", "summary": "Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods\nA flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3947", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3947" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3948", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3948" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430835", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430835" }, { "reference_url": "https://github.com/keycloak/keycloak", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak" }, { "reference_url": "https://github.com/keycloak/keycloak/issues/45646", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/issues/45646" }, { "reference_url": "https://access.redhat.com/security/cve/CVE-2026-1190", "reference_id": "CVE-2026-1190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/CVE-2026-1190" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190", "reference_id": "CVE-2026-1190", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190" }, { "reference_url": "https://github.com/advisories/GHSA-63v5-26vq-m4vm", "reference_id": "GHSA-63v5-26vq-m4vm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-63v5-26vq-m4vm" } ], "fixed_packages": [], "aliases": [ "CVE-2026-1190", "GHSA-63v5-26vq-m4vm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s9bw-xmnt-xqbp" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49807?format=api", "vulnerability_id": "VCID-58n2-w8fu-u3hc", "summary": "Keycloak services allows the issuance of access and refresh tokens for disabled users\nA flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2365", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2365" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2366", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2366" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421711", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421711" }, { "reference_url": "https://github.com/keycloak/keycloak", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak" }, { "reference_url": "https://github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e659", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e659" }, { "reference_url": "https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff" }, { "reference_url": "https://github.com/keycloak/keycloak/issues/45651", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/issues/45651" }, { "reference_url": "https://github.com/keycloak/keycloak/releases/tag/26.5.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/releases/tag/26.5.2" }, { "reference_url": "https://access.redhat.com/security/cve/CVE-2025-14559", "reference_id": "CVE-2025-14559", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/CVE-2025-14559" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14559", "reference_id": "CVE-2025-14559", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14559" }, { "reference_url": "https://github.com/advisories/GHSA-wv3h-x6c4-r867", "reference_id": "GHSA-wv3h-x6c4-r867", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wv3h-x6c4-r867" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73557?format=api", "purl": "pkg:maven/org.keycloak/keycloak-services@26.4.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.4.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/73556?format=api", "purl": "pkg:maven/org.keycloak/keycloak-services@26.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s9bw-xmnt-xqbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.5.2" } ], "aliases": [ "CVE-2025-14559", "GHSA-wv3h-x6c4-r867" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-58n2-w8fu-u3hc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49923?format=api", "vulnerability_id": "VCID-zr12-p5eq-wubj", "summary": "Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes\nA flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2365", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2365" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2366", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2366" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418330", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418330" }, { "reference_url": "https://github.com/keycloak/keycloak", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak" }, { "reference_url": "https://github.com/keycloak/keycloak/commit/1d7ab8d5fb1403902f5152820a8fc734d38b08d2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/commit/1d7ab8d5fb1403902f5152820a8fc734d38b08d2" }, { "reference_url": "https://github.com/keycloak/keycloak/commit/c5c83d6604d4c73139f38fce3ed7b7c4c38c09f2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/commit/c5c83d6604d4c73139f38fce3ed7b7c4c38c09f2" }, { "reference_url": "https://github.com/keycloak/keycloak/issues/45873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/issues/45873" }, { "reference_url": "https://github.com/keycloak/keycloak/pull/45427", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/keycloak/keycloak/pull/45427" }, { "reference_url": "https://access.redhat.com/security/cve/CVE-2025-13881", "reference_id": "CVE-2025-13881", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/CVE-2025-13881" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13881", "reference_id": "CVE-2025-13881", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13881" }, { "reference_url": "https://github.com/advisories/GHSA-g78x-7vwx-9f58", "reference_id": "GHSA-g78x-7vwx-9f58", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g78x-7vwx-9f58" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73557?format=api", "purl": "pkg:maven/org.keycloak/keycloak-services@26.4.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.4.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/73556?format=api", "purl": "pkg:maven/org.keycloak/keycloak-services@26.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s9bw-xmnt-xqbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.5.2" } ], "aliases": [ "CVE-2025-13881", "GHSA-g78x-7vwx-9f58" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zr12-p5eq-wubj" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.5.2" }