Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/code16/sharp@5.3.2
Typecomposer
Namespacecode16
Namesharp
Version5.3.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version9.20.0
Latest_non_vulnerable_version9.22.0
Affected_by_vulnerabilities
0
url VCID-akfx-8k1u-2faj
vulnerability_id VCID-akfx-8k1u-2faj
summary Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 contain a vulnerability in the file upload endpoint that allows authenticated users to bypass all file type restrictions. The upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. This issue has been addressed in version 9.20.0 by removing the client-controlled validation rules and strictly defining upload rules server-side. As a workaround, ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33687
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06823
published_at 2026-06-11T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06844
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33687
1
reference_url https://github.com/code16/sharp
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/code16/sharp
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33687
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33687
3
reference_url https://github.com/code16/sharp/pull/714
reference_id 714
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/
url https://github.com/code16/sharp/pull/714
4
reference_url https://laravel.com/docs/13.x/filesystem
reference_id filesystem
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/
url https://laravel.com/docs/13.x/filesystem
5
reference_url https://github.com/advisories/GHSA-fr76-5637-w3g9
reference_id GHSA-fr76-5637-w3g9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fr76-5637-w3g9
6
reference_url https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
reference_id GHSA-fr76-5637-w3g9
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/
url https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9
7
reference_url https://github.com/code16/sharp/releases/tag/v9.20.0
reference_id v9.20.0
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T20:28:24Z/
url https://github.com/code16/sharp/releases/tag/v9.20.0
fixed_packages
0
url pkg:composer/code16/sharp@9.20.0
purl pkg:composer/code16/sharp@9.20.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/code16/sharp@9.20.0
aliases CVE-2026-33687, GHSA-fr76-5637-w3g9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-akfx-8k1u-2faj
1
url VCID-cdgj-6szg-m7aa
vulnerability_id VCID-cdgj-6szg-m7aa
summary Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62798
reference_id
reference_type
scores
0
value 0.00024
scoring_system epss
scoring_elements 0.07194
published_at 2026-06-12T12:55:00Z
1
value 0.00024
scoring_system epss
scoring_elements 0.0716
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62798
1
reference_url https://github.com/code16/sharp
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/code16/sharp
2
reference_url https://github.com/ViktorMares/vue-js-xss-payload-list
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ViktorMares/vue-js-xss-payload-list
3
reference_url https://medium.com/@sid0krypt/vue-js-reflected-xss-fae04c9872d2
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://medium.com/@sid0krypt/vue-js-reflected-xss-fae04c9872d2
4
reference_url https://github.com/code16/sharp/pull/654
reference_id 654
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:31:18Z/
url https://github.com/code16/sharp/pull/654
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-62798
reference_id CVE-2025-62798
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-62798
6
reference_url https://github.com/advisories/GHSA-9f58-4465-23c7
reference_id GHSA-9f58-4465-23c7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9f58-4465-23c7
7
reference_url https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7
reference_id GHSA-9f58-4465-23c7
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:31:18Z/
url https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7
8
reference_url https://github.com/code16/sharp/releases/tag/v9.11.1
reference_id v9.11.1
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:31:18Z/
url https://github.com/code16/sharp/releases/tag/v9.11.1
fixed_packages
0
url pkg:composer/code16/sharp@9.11.1
purl pkg:composer/code16/sharp@9.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-akfx-8k1u-2faj
1
vulnerability VCID-huyc-6x1c-4bdv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/code16/sharp@9.11.1
aliases CVE-2025-62798, GHSA-9f58-4465-23c7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cdgj-6szg-m7aa
2
url VCID-fad6-cdj9-ekb1
vulnerability_id VCID-fad6-cdj9-ekb1
summary code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61457
reference_id
reference_type
scores
0
value 0.0003
scoring_system epss
scoring_elements 0.09223
published_at 2026-06-11T12:55:00Z
1
value 0.0003
scoring_system epss
scoring_elements 0.09276
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61457
1
reference_url https://github.com/code16/sharp
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/code16/sharp
2
reference_url https://github.com/code16/sharp/commit/bf7fedf2086d86aac16194733a6385564e5cf124
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/code16/sharp/commit/bf7fedf2086d86aac16194733a6385564e5cf124
3
reference_url https://github.com/code16/sharp/issues/611
reference_id 611
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T20:29:37Z/
url https://github.com/code16/sharp/issues/611
4
reference_url https://github.com/chimmeee/vulnerability-research/blob/main/CVE-2025-61457
reference_id CVE-2025-61457
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T20:29:37Z/
url https://github.com/chimmeee/vulnerability-research/blob/main/CVE-2025-61457
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61457
reference_id CVE-2025-61457
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61457
6
reference_url https://github.com/advisories/GHSA-9778-v769-qvjf
reference_id GHSA-9778-v769-qvjf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9778-v769-qvjf
7
reference_url https://github.com/code16/sharp/blob/6d106b05aa07c6b46f5de28f909b732e1bbcdc47/src/Form/Fields/SharpFormUploadField.php#L97
reference_id SharpFormUploadField.php#L97
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T20:29:37Z/
url https://github.com/code16/sharp/blob/6d106b05aa07c6b46f5de28f909b732e1bbcdc47/src/Form/Fields/SharpFormUploadField.php#L97
8
reference_url https://github.com/code16/sharp/releases/tag/v9.7.0
reference_id v9.7.0
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T20:29:37Z/
url https://github.com/code16/sharp/releases/tag/v9.7.0
fixed_packages
0
url pkg:composer/code16/sharp@9.7.0
purl pkg:composer/code16/sharp@9.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-akfx-8k1u-2faj
1
vulnerability VCID-cdgj-6szg-m7aa
2
vulnerability VCID-huyc-6x1c-4bdv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/code16/sharp@9.7.0
aliases CVE-2025-61457, GHSA-9778-v769-qvjf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fad6-cdj9-ekb1
3
url VCID-huyc-6x1c-4bdv
vulnerability_id VCID-huyc-6x1c-4bdv
summary Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 have a path traversal vulnerability in the FileUtil class. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer. In `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. This issue has been patched in version 9.20.0 by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33686
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.09473
published_at 2026-06-11T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.09527
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33686
1
reference_url https://github.com/code16/sharp
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/code16/sharp
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33686
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33686
3
reference_url https://github.com/code16/sharp/pull/715
reference_id 715
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T13:59:38Z/
url https://github.com/code16/sharp/pull/715
4
reference_url https://github.com/advisories/GHSA-9ffq-6457-8958
reference_id GHSA-9ffq-6457-8958
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9ffq-6457-8958
5
reference_url https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958
reference_id GHSA-9ffq-6457-8958
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T13:59:38Z/
url https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958
fixed_packages
0
url pkg:composer/code16/sharp@9.20.0
purl pkg:composer/code16/sharp@9.20.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/code16/sharp@9.20.0
aliases CVE-2026-33686, GHSA-9ffq-6457-8958
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-huyc-6x1c-4bdv
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/code16/sharp@5.3.2