Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/74442?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/74442?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.2", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "5.9.0-beta.2", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.6.2975", "latest_non_vulnerable_version": "5.9.9", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50678?format=api", "vulnerability_id": "VCID-akrv-yqnf-1kg8", "summary": "Craft CMS has unauthenticated activation email trigger with potential user enumeration\nThe `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.\n\nThe vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.\n\nCraft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069", "reference_id": "CVE-2026-29069", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069" }, { "reference_url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74443?format=api", "purl": "pkg:composer/craftcms/cms@4.17.0-beta.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/74442?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2" } ], "aliases": [ "CVE-2026-29069", "GHSA-234q-vvw3-mrfq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-akrv-yqnf-1kg8" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2" }