Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/74587?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/74587?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "5.9.7", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "5.9.9", "latest_non_vulnerable_version": "5.9.9", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50790?format=api", "vulnerability_id": "VCID-hyct-5gap-7kdu", "summary": "Craft CMS has a potential information disclosure vulnerability in preview tokens\nCraft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`. The endpoint accepts an attacker-supplied `previewToken`.\n\nBecause the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.\n\nThat token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.\n\n---", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113", "reference_id": "CVE-2026-29113", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113" }, { "reference_url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74586?format=api", "purl": "pkg:composer/craftcms/cms@4.17.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/74587?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" } ], "aliases": [ "CVE-2026-29113", "GHSA-vg3j-hpm9-8v5v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hyct-5gap-7kdu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50861?format=api", "vulnerability_id": "VCID-p3n8-1sht-bfbt", "summary": "CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization\nThe fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute.", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/cc9921c14897ee2b592a431c2356af8a04ce4cfe", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/commit/cc9921c14897ee2b592a431c2356af8a04ce4cfe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31859", "reference_id": "CVE-2026-31859", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31859" }, { "reference_url": "https://github.com/advisories/GHSA-fvwq-45qv-xvhv", "reference_id": "GHSA-fvwq-45qv-xvhv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fvwq-45qv-xvhv" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv", "reference_id": "GHSA-fvwq-45qv-xvhv", "reference_type": "", "scores": [], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74790?format=api", "purl": "pkg:composer/craftcms/cms@4.17.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/74587?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" } ], "aliases": [ "CVE-2026-31859", "GHSA-fvwq-45qv-xvhv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p3n8-1sht-bfbt" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" }