Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/pagefind@0.9.2

Type npm

Namespace

Name pagefind

Version 0.9.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.1.1

Latest_non_vulnerable_version 1.1.1

Affected_by_vulnerabilities

url VCID-xekt-jswh-ffcu

vulnerability_id VCID-xekt-jswh-ffcu

summary Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45389

reference_id

reference_type

scores

value	0.01215
scoring_system	epss
scoring_elements	0.795
published_at	2026-06-13T12:55:00Z

value	0.01215
scoring_system	epss
scoring_elements	0.79496
published_at	2026-06-14T12:55:00Z

value	0.01215
scoring_system	epss
scoring_elements	0.79486
published_at	2026-06-12T12:55:00Z

value	0.01215
scoring_system	epss
scoring_elements	0.79419
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45389

reference_url

https://github.com/CloudCannon/pagefind

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/CloudCannon/pagefind

reference_url

https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb

reference_id

14ec96864eabaf1d7d809d5da0186a8856261eeb

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/

url

https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-45389

reference_id

CVE-2024-45389

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-45389

reference_url

https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

reference_id

GHSA-4vvj-4cpr-p986

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/

url

https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

reference_url

https://github.com/advisories/GHSA-gprj-6m2f-j9hx

reference_id

GHSA-gprj-6m2f-j9hx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gprj-6m2f-j9hx

reference_url

https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx

reference_id

GHSA-gprj-6m2f-j9hx

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/

url

https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx

fixed_packages

url	pkg:npm/pagefind@1.1.1
purl	pkg:npm/pagefind@1.1.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/pagefind@1.1.1

aliases CVE-2024-45389, GHSA-gprj-6m2f-j9hx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xekt-jswh-ffcu

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pagefind@0.9.2

Package Instance