Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/october/rain@1.1.0
Typecomposer
Namespaceoctober
Namerain
Version1.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.7.16
Latest_non_vulnerable_version4.1.10
Affected_by_vulnerabilities
0
url VCID-8g7k-gf7y-mubp
vulnerability_id VCID-8g7k-gf7y-mubp
summary 
Insufficient Session Expiration
An issue was discovered in October through build It reactivates an old session ID (which had been invalid after a logout) once a new login occurs.
references
0
reference_url https://anisiosantos.me/october-cms-token-reactivation
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://anisiosantos.me/october-cms-token-reactivation
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3311
reference_id
reference_type
scores
0
value 0.01522
scoring_system epss
scoring_elements 0.81607
published_at 2026-06-08T12:55:00Z
1
value 0.01522
scoring_system epss
scoring_elements 0.81612
published_at 2026-06-05T12:55:00Z
2
value 0.01522
scoring_system epss
scoring_elements 0.81583
published_at 2026-06-04T12:55:00Z
3
value 0.01522
scoring_system epss
scoring_elements 0.81614
published_at 2026-06-07T12:55:00Z
4
value 0.01522
scoring_system epss
scoring_elements 0.81615
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3311
2
reference_url https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
3
reference_url https://octobercms.com/forum/chan/announcements
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://octobercms.com/forum/chan/announcements
4
reference_url https://packagist.org/packages/october/rain
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/october/rain
5
reference_url http://cve.circl.lu/cve/CVE-2021-3311
reference_id CVE-2021-3311
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://cve.circl.lu/cve/CVE-2021-3311
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3311
reference_id CVE-2021-3311
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3311
7
reference_url https://github.com/advisories/GHSA-7ggw-h8pp-r95r
reference_id GHSA-7ggw-h8pp-r95r
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7ggw-h8pp-r95r
8
reference_url https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r
reference_id GHSA-7ggw-h8pp-r95r
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r
fixed_packages
0
url pkg:composer/october/rain@1.1.2
purl pkg:composer/october/rain@1.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8v2u-xg4d-fkex
1
vulnerability VCID-k8hr-jtcb-rqbd
2
vulnerability VCID-vdxu-3sja-eubf
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.1.2
aliases CVE-2021-3311, GHSA-7ggw-h8pp-r95r
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8g7k-gf7y-mubp
1
url VCID-8v2u-xg4d-fkex
vulnerability_id VCID-8v2u-xg4d-fkex
summary 
October Rain has Environment Variable Exfiltration via INI Parser Interpolation
A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.

### Impact
- Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)
- Could enable further attacks: database access, cookie forgery, AWS resource access
- Requires authenticated backend access with Editor permissions
- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)

### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.

### Workarounds
If upgrading immediately is not possible:
- Restrict Editor tool access to fully trusted administrators only
- Ensure database and cloud service credentials are not accessible from the web server's network

### References
- Reported by Pentest-Tools.com
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25125
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02853
published_at 2026-06-05T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02792
published_at 2026-06-08T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02808
published_at 2026-06-07T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02861
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25125
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:24:59Z/
url https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25125
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25125
4
reference_url https://github.com/advisories/GHSA-g6v3-wv4j-x9hg
reference_id GHSA-g6v3-wv4j-x9hg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g6v3-wv4j-x9hg
fixed_packages
0
url pkg:composer/october/rain@3.7.14
purl pkg:composer/october/rain@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14
1
url pkg:composer/october/rain@3.7.16
purl pkg:composer/october/rain@3.7.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16
2
url pkg:composer/october/rain@4.1.10
purl pkg:composer/october/rain@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10
aliases CVE-2026-25125, GHSA-g6v3-wv4j-x9hg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8v2u-xg4d-fkex
2
url VCID-k8hr-jtcb-rqbd
vulnerability_id VCID-k8hr-jtcb-rqbd
summary 
October Rain has a Twig Sandbox Bypass via Collection Methods
A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.

### Impact
- Bypass of Twig sandbox restrictions
- Only affects installations with `CMS_SAFE_MODE` enabled (disabled by default)
- Requires authenticated backend access with CMS template editing permissions

### Patches
The vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.

### Workarounds
If upgrading immediately is not possible:
- Disable `CMS_SAFE_MODE` if untrusted template editing is not required
- Restrict CMS template editing permissions to fully trusted administrators only

### References
- Reported by Ɓukasz Rybak
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22692
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.05103
published_at 2026-06-05T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.05039
published_at 2026-06-08T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.0508
published_at 2026-06-07T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.05088
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22692
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:42:23Z/
url https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22692
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22692
4
reference_url https://github.com/advisories/GHSA-m5qg-jc75-4jp6
reference_id GHSA-m5qg-jc75-4jp6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m5qg-jc75-4jp6
fixed_packages
0
url pkg:composer/october/rain@3.7.13
purl pkg:composer/october/rain@3.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8v2u-xg4d-fkex
1
vulnerability VCID-vdxu-3sja-eubf
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.13
1
url pkg:composer/october/rain@4.1.5
purl pkg:composer/october/rain@4.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8v2u-xg4d-fkex
1
vulnerability VCID-vdxu-3sja-eubf
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.5
aliases CVE-2026-22692, GHSA-m5qg-jc75-4jp6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8hr-jtcb-rqbd
3
url VCID-vdxu-3sja-eubf
vulnerability_id VCID-vdxu-3sja-eubf
summary 
October Rain has Stored XSS via SVG Filter Bypass
A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.

### Impact
- Stored XSS via malicious SVG files uploaded through the Media Manager
- Could allow privilege escalation if a superuser views or embeds the malicious SVG
- Requires authenticated backend access with media upload permissions (`media.library.create`)
- SVG must be viewed or embedded in a page to trigger

### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.

### Workarounds
If upgrading immediately is not possible:
- Disable SVG uploads by adding `svg` to the blocked extensions in media configuration
- Set `media.clean_vectors` to `true` in configuration (enabled by default)

### References
- Reported by Pentest-Tools.com
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25133
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00937
published_at 2026-06-05T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.00935
published_at 2026-06-08T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00938
published_at 2026-06-07T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.00936
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25133
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:47:21Z/
url https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25133
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25133
4
reference_url https://github.com/advisories/GHSA-gcqv-f29m-67gr
reference_id GHSA-gcqv-f29m-67gr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gcqv-f29m-67gr
fixed_packages
0
url pkg:composer/october/rain@3.7.14
purl pkg:composer/october/rain@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14
1
url pkg:composer/october/rain@3.7.16
purl pkg:composer/october/rain@3.7.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16
2
url pkg:composer/october/rain@4.1.10
purl pkg:composer/october/rain@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10
aliases CVE-2026-25133, GHSA-gcqv-f29m-67gr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vdxu-3sja-eubf
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.1.0