Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/749554?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/749554?format=api", "purl": "pkg:composer/contao/contao@4.13.0-RC2", "type": "composer", "namespace": "contao", "name": "contao", "version": "4.13.0-RC2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.13.56", "latest_non_vulnerable_version": "5.6.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121116?format=api", "vulnerability_id": "VCID-9fgc-p6aq-vygh", "summary": "Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57756", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20744", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.2092", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.2094", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22213", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57756" }, { "reference_url": "https://github.com/contao/contao", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/contao/contao" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57756", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57756" }, { "reference_url": "https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514", "reference_id": "a03976c459b6f3985a28f6488b82a76ffb6c0514", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T17:49:20Z/" } ], "url": "https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514" }, { "reference_url": "https://github.com/advisories/GHSA-2xmj-8wmq-7475", "reference_id": "GHSA-2xmj-8wmq-7475", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xmj-8wmq-7475" }, { "reference_url": "https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475", "reference_id": "GHSA-2xmj-8wmq-7475", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T17:49:20Z/" } ], "url": "https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475" }, { "reference_url": "https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index", "reference_id": "information-disclosure-in-the-front-end-search-index", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T17:49:20Z/" } ], "url": "https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377622?format=api", "purl": "pkg:composer/contao/contao@4.13.56", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@4.13.56" }, { "url": "http://public2.vulnerablecode.io/api/packages/377543?format=api", "purl": "pkg:composer/contao/contao@5.3.38", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@5.3.38" }, { "url": "http://public2.vulnerablecode.io/api/packages/377544?format=api", "purl": "pkg:composer/contao/contao@5.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@5.6.1" } ], "aliases": [ "CVE-2025-57756", "GHSA-2xmj-8wmq-7475" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9fgc-p6aq-vygh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40358?format=api", "vulnerability_id": "VCID-arpe-7th1-kuep", "summary": "Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45965", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.57432", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.5744", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.57425", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.57307", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45965" }, { "reference_url": "https://github.com/contao/contao", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/contao/contao" }, { "reference_url": "https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb", "reference_id": "contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T20:29:10Z/" } ], "url": "https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb" }, { "reference_url": "https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads", "reference_id": "cross-site-scripting-through-svg-uploads", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T20:29:10Z/" } ], "url": "https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45965", "reference_id": "CVE-2024-45965", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45965" }, { "reference_url": "https://github.com/advisories/GHSA-mrw8-5368-phm3", "reference_id": "GHSA-mrw8-5368-phm3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mrw8-5368-phm3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/749651?format=api", "purl": "pkg:composer/contao/contao@5.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4s26-ndpg-jkcy" }, { "vulnerability": "VCID-9fgc-p6aq-vygh" }, { "vulnerability": "VCID-bmg9-saw6-efhd" }, { "vulnerability": "VCID-w65y-66s4-qbgy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@5.4.2" } ], "aliases": [ "CVE-2024-45965", "GHSA-mrw8-5368-phm3" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-arpe-7th1-kuep" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@4.13.0-RC2" }