Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/75706?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/75706?format=api", "purl": "pkg:gem/decidim-core@0.31", "type": "gem", "namespace": "", "name": "decidim-core", "version": "0.31", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49962?format=api", "vulnerability_id": "VCID-25zg-267g-w3cn", "summary": "Decidim's private data exports can lead to data leaks\nPrivate data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.\n\nThe bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).\n\nThis issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:\n\n```bash\n$ cd decidim-core\n$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e \"deletes the\" || break ; done\n```\n\nRun the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.\n\nThe UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.\n\nThe following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):\n\n```ruby", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65017", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17321", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65017" }, { "reference_url": "https://github.com/decidim/decidim", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/decidim/decidim" }, { "reference_url": "https://github.com/decidim/decidim/pull/13571", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/" } ], "url": "https://github.com/decidim/decidim/pull/13571" }, { "reference_url": "https://github.com/decidim/decidim/releases/tag/v0.30.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/" } ], "url": "https://github.com/decidim/decidim/releases/tag/v0.30.4" }, { "reference_url": "https://github.com/decidim/decidim/releases/tag/v0.31.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/" } ], "url": "https://github.com/decidim/decidim/releases/tag/v0.31.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65017", "reference_id": "CVE-2025-65017", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65017" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml", "reference_id": "CVE-2025-65017.YML", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml", "reference_id": "CVE-2025-65017.YML", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml" }, { "reference_url": "https://github.com/advisories/GHSA-3cx6-j9j4-54mp", "reference_id": "GHSA-3cx6-j9j4-54mp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cx6-j9j4-54mp" }, { "reference_url": "https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp", "reference_id": "GHSA-3cx6-j9j4-54mp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/" } ], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp" } ], "fixed_packages": [], "aliases": [ "CVE-2025-65017", "GHSA-3cx6-j9j4-54mp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-25zg-267g-w3cn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51597?format=api", "vulnerability_id": "VCID-k1gk-pcda-a7cb", "summary": "Decidim has a cross-site scripting (XSS) in user name\n### Impact\n\nA stored code execution vulnerability in the user name field allows\na low-privileged attacker to execute arbitrary code in the context\nof any user who passively visits a comment page, resulting in high\nconfidentiality and integrity impact across security boundaries.\n\n### Patches\n\nN/A\n\n### Workarounds\n\nNot available\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n\n### Credits\n\nThis issue was discovered in a security audit organized by\n[octree](https://octree.ch/) and made by\n[Secu Labs](https://seculabs.ch/) against Decidim financed\nby the city of Lausanne (Switzerland).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16846", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23891" }, { "reference_url": "https://github.com/decidim/decidim", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/decidim/decidim" }, { "reference_url": "https://github.com/decidim/decidim/releases/tag/v0.30.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:23:47Z/" } ], "url": "https://github.com/decidim/decidim/releases/tag/v0.30.5" }, { "reference_url": "https://github.com/decidim/decidim/releases/tag/v0.31.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:23:47Z/" } ], "url": "https://github.com/decidim/decidim/releases/tag/v0.31.1" }, { "reference_url": "https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T15:23:47Z/" } ], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2026-23891.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2026-23891.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23891", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23891" }, { "reference_url": "https://github.com/advisories/GHSA-fc46-r95f-hq7g", "reference_id": "GHSA-fc46-r95f-hq7g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fc46-r95f-hq7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110363?format=api", "purl": "pkg:gem/decidim-core@0.31.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25zg-267g-w3cn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/decidim-core@0.31.1" } ], "aliases": [ "CVE-2026-23891", "GHSA-fc46-r95f-hq7g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k1gk-pcda-a7cb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51596?format=api", "vulnerability_id": "VCID-m38p-yqcn-nka4", "summary": "Decidim amendments can be accepted or rejected by anyone\n### Impact\n\nThe vulnerability allows any registered and authenticated user to\naccept or reject any amendments. The impact is on any users who\nhave created proposals where the amendments feature is enabled.\nThis also elevates the user accepting the amendment as the author\nof the original proposal as people amending proposals are provided\ncoauthorship on the coauthorable resources.\n\nThe only check done when accepting or rejecting amendments is whether\nthe amendment reactions are enabled for the component:\n- https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107\n\nThe permission checks have been changed at 1b99136 which was\nintroduced in released version 0.19.0. I have not investigated\nwhether prior versions are also affected.\n\n### Patches\n\nNot available\n\n### Workarounds\n\nDisable amendment reactions for the amendable component (e.g. proposals).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40869", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12375", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40869" }, { "reference_url": "https://github.com/decidim/decidim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/decidim/decidim" }, { "reference_url": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:35:49Z/" } ], "url": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9" }, { "reference_url": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:35:49Z/" } ], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2026-40869.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2026-40869.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40869", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40869" }, { "reference_url": "https://github.com/advisories/GHSA-w5xj-99cg-rccm", "reference_id": "GHSA-w5xj-99cg-rccm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w5xj-99cg-rccm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110363?format=api", "purl": "pkg:gem/decidim-core@0.31.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25zg-267g-w3cn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/decidim-core@0.31.1" } ], "aliases": [ "CVE-2026-40869", "GHSA-w5xj-99cg-rccm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m38p-yqcn-nka4" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/decidim-core@0.31" }