Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/938274?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "type": "deb", "namespace": "debian", "name": "ruby-nokogiri", "version": "1.19.1+dfsg-1", "qualifiers": { "distro": "trixie" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31756?format=api", "vulnerability_id": "VCID-64c1-dzhs-u3gj", "summary": "Nokogiri has a vulnerability allowing arbitrary execution of code\n if a certain function is used.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5477", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90714", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90782", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90763", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90765", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90766", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90758", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90751", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.90741", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.9073", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.06079", "scoring_system": "epss", "scoring_elements": "0.9072", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5477" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/issues/1915", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/issues/1915" }, { "reference_url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc" }, { "reference_url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926" }, { "reference_url": "https://hackerone.com/reports/650835", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/650835" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5477", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5477" }, { "reference_url": "https://usn.ubuntu.com/4175-1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://usn.ubuntu.com/4175-1" }, { "reference_url": "https://usn.ubuntu.com/4175-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4175-1/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802", "reference_id": "934802", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940905", "reference_id": "940905", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940905" }, { "reference_url": "https://github.com/advisories/GHSA-cr5j-953j-xw5p", "reference_id": "GHSA-cr5j-953j-xw5p", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cr5j-953j-xw5p" }, { "reference_url": "https://security.gentoo.org/glsa/202006-05", "reference_id": "GLSA-202006-05", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202006-05" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938277?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.10.4%2Bdfsg1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.10.4%252Bdfsg1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2019-5477", "GHSA-cr5j-953j-xw5p" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-64c1-dzhs-u3gj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11286?format=api", "vulnerability_id": "VCID-8geh-vfns-pfgs", "summary": "Improper Restriction of XML External Entity Reference\nNokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41098.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41098.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41098", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.68449", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.68411", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.68444", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.68456", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.6843", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.68413", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00564", "scoring_system": "epss", "scoring_elements": "0.68362", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00565", "scoring_system": "epss", "scoring_elements": "0.68359", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00565", "scoring_system": "epss", "scoring_elements": "0.68379", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00565", "scoring_system": "epss", "scoring_elements": "0.68398", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41098" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008914", "reference_id": "2008914", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008914" }, { "reference_url": "https://security.archlinux.org/AVG-2424", "reference_id": "AVG-2424", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2424" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41098", "reference_id": "CVE-2021-41098", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41098" }, { "reference_url": "https://github.com/advisories/GHSA-2rr5-8q37-2w7h", "reference_id": "GHSA-2rr5-8q37-2w7h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2rr5-8q37-2w7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938276?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2021-41098", "GHSA-2rr5-8q37-2w7h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8geh-vfns-pfgs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30055?format=api", "vulnerability_id": "VCID-8zyc-vw5k-wqaw", "summary": "sparklemotion nokogiri hashmap.c hashmap_get_with_hash heap-based overflow\n### Withdrawn Advisory\n\nThis advisory has been withdrawn because the affected code was never included in a release. This link has been maintained to preserve external references.\n\n### Original Description\n\nA vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6494", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07325", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07346", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07418", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07429", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07442", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07456", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07432", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07307", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07284", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6494" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/ada4708e5a67114402cd3feb70a4e1d1d7cf773a", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/ada4708e5a67114402cd3feb70a4e1d1d7cf773a" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/issues/3508", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/issues/3508" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/pull/3524", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/pull/3524" }, { "reference_url": "https://github.com/user-attachments/files/19825279/nokogiri_crash_2.txt", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://github.com/user-attachments/files/19825279/nokogiri_crash_2.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6494", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6494" }, { "reference_url": "https://vuldb.com/?ctiid.313611", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://vuldb.com/?ctiid.313611" }, { "reference_url": "https://vuldb.com/?id.313611", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://vuldb.com/?id.313611" }, { "reference_url": "https://vuldb.com/?submit.601006", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T15:08:50Z/" } ], "url": "https://vuldb.com/?submit.601006" }, { "reference_url": "https://github.com/advisories/GHSA-jc9r-qcgw-fxq9", "reference_id": "GHSA-jc9r-qcgw-fxq9", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc9r-qcgw-fxq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938276?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2025-6494", "GHSA-jc9r-qcgw-fxq9" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8zyc-vw5k-wqaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13709?format=api", "vulnerability_id": "VCID-9wgc-swf9-z7hq", "summary": "Inefficient Regular Expression Complexity\nNokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24836", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.80039", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.8001", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.80018", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.80035", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.80006", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.79978", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0134", "scoring_system": "epss", "scoring_elements": "0.80015", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01377", "scoring_system": "epss", "scoring_elements": "0.80228", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01377", "scoring_system": "epss", "scoring_elements": "0.80208", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24836" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/23", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/23" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/" }, { "reference_url": "https://security.gentoo.org/glsa/202208-29", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-29" }, { "reference_url": "https://support.apple.com/kb/HT213532", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://support.apple.com/kb/HT213532" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787", "reference_id": "1009787", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074346", "reference_id": "2074346", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074346" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836", "reference_id": "CVE-2022-24836", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836" }, { "reference_url": "https://github.com/advisories/GHSA-crjr-9rc5-ghw8", "reference_id": "GHSA-crjr-9rc5-ghw8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crjr-9rc5-ghw8" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8", "reference_id": "GHSA-crjr-9rc5-ghw8", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8506", "reference_id": "RHSA-2022:8506", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8506" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938281?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2%2Bdeb11u1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938280?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.5%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.5%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2022-24836", "GHSA-crjr-9rc5-ghw8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9wgc-swf9-z7hq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34871?format=api", "vulnerability_id": "VCID-eru7-uy2t-d3ef", "summary": "A vulnerability has been discovered in Nokogiri, which can lead to a denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23476.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23476.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23476", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00226", "scoring_system": "epss", "scoring_elements": "0.4538", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00226", "scoring_system": "epss", "scoring_elements": "0.45324", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00232", "scoring_system": "epss", "scoring_elements": "0.46063", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00232", "scoring_system": "epss", "scoring_elements": "0.46084", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47363", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47402", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47337", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47344", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23476" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23476", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23476" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153279", "reference_id": "2153279", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153279" }, { "reference_url": "https://github.com/advisories/GHSA-qv4q-mr5r-qprj", "reference_id": "GHSA-qv4q-mr5r-qprj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qv4q-mr5r-qprj" }, { "reference_url": "https://security.gentoo.org/glsa/202408-13", "reference_id": "GLSA-202408-13", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-13" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938276?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938279?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2022-23476", "GHSA-qv4q-mr5r-qprj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eru7-uy2t-d3ef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54838?format=api", "vulnerability_id": "VCID-gxbt-wyyf-1yg8", "summary": "Nokogiri vulnerable to DoS while parsing XML entities\nNokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6461.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6461.json" }, { "reference_url": "https://access.redhat.com/security/cve/cve-2013-6461", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/security/cve/cve-2013-6461" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2013-6461", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83882", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83849", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83813", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83784", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83854", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.8386", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83843", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83837", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83797", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.02046", "scoring_system": "epss", "scoring_elements": "0.83812", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-6461" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6461", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6461" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90059", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90059" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6461.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6461.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6461", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:M/Au:N/C:N/I:N/A:P" }, { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6461" }, { "reference_url": "https://security-tracker.debian.org/tracker/CVE-2013-6461", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security-tracker.debian.org/tracker/CVE-2013-6461" }, { "reference_url": "https://web.archive.org/web/20200804224345/https://www.securityfocus.com/bid/64513", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20200804224345/https://www.securityfocus.com/bid/64513" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/12/27/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2013/12/27/2" }, { "reference_url": "http://www.securityfocus.com/bid/64513", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/64513" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1046664", "reference_id": "1046664", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1046664" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*" }, { "reference_url": "https://github.com/advisories/GHSA-jmhh-w7xp-wg39", "reference_id": "GHSA-jmhh-w7xp-wg39", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jmhh-w7xp-wg39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938276?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2013-6461", "GHSA-jmhh-w7xp-wg39", "OSV-101458" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gxbt-wyyf-1yg8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30122?format=api", "vulnerability_id": "VCID-qj6u-xryx-s3ev", "summary": "sparklemotion nokogiri hashmap.c hashmap_set_with_hash heap-based overflow\n### Withdrawn Advisory\n\nThis advisory has been withdrawn because the affected code was never included in a release. This link has been maintained to preserve external references.\n\n### Original Description\n\nA vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07284", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07346", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07418", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07429", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07442", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07456", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07432", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07307", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07325", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6490" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/ada4708e5a67114402cd3feb70a4e1d1d7cf773a", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/ada4708e5a67114402cd3feb70a4e1d1d7cf773a" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/issues/3500", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/issues/3500" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/pull/3524", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/pull/3524" }, { "reference_url": "https://github.com/user-attachments/files/19625432/nokogiri_crash.txt", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://github.com/user-attachments/files/19625432/nokogiri_crash.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6490", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6490" }, { "reference_url": "https://vuldb.com/?ctiid.313601", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://vuldb.com/?ctiid.313601" }, { "reference_url": "https://vuldb.com/?id.313601", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://vuldb.com/?id.313601" }, { "reference_url": "https://vuldb.com/?submit.601005", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C" }, { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-23T16:34:29Z/" } ], "url": "https://vuldb.com/?submit.601005" }, { "reference_url": "https://github.com/advisories/GHSA-pf9w-gvcf-gv7m", "reference_id": "GHSA-pf9w-gvcf-gv7m", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pf9w-gvcf-gv7m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938276?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2025-6490", "GHSA-pf9w-gvcf-gv7m" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qj6u-xryx-s3ev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47092?format=api", "vulnerability_id": "VCID-snr1-kaug-43aa", "summary": "Multiple vulnerabilities have been discovered in Nokogiri, the worst of which could result in denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29181.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29181.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88724", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.8871", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88682", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88717", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88705", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88699", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.04293", "scoring_system": "epss", "scoring_elements": "0.88835", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.04293", "scoring_system": "epss", "scoring_elements": "0.88819", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29181" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/23", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/23" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29181", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29181" }, { "reference_url": "https://security.gentoo.org/glsa/202208-29", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-29" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri" }, { "reference_url": "https://support.apple.com/kb/HT213532", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://support.apple.com/kb/HT213532" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088684", "reference_id": "2088684", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088684" }, { "reference_url": "https://github.com/advisories/GHSA-xh29-r2w5-wx8m", "reference_id": "GHSA-xh29-r2w5-wx8m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xh29-r2w5-wx8m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8506", "reference_id": "RHSA-2022:8506", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8506" }, { "reference_url": "https://usn.ubuntu.com/7659-1/", "reference_id": "USN-7659-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7659-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938282?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.7%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.7%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2022-29181", "GHSA-xh29-r2w5-wx8m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-snr1-kaug-43aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33287?format=api", "vulnerability_id": "VCID-vhyk-9tbb-quc3", "summary": "Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability\n### Severity\n\nNokogiri maintainers have evaluated this as [__Low Severity__ (CVSS3 2.6)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N).\n\n\n### Description\n\nIn Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.\n\nThis behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as **untrusted** by default whenever possible.\n\nPlease note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be \"Low Severity\".\n\n\n### Affected Versions\n\nNokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`\n\n\n### Mitigation\n\nThere are no known workarounds for affected versions. Upgrade to Nokogiri `1.11.0.rc4` or later.\n\nIf, after upgrading to `1.11.0.rc4` or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):\n\n1. Ensure the input is trusted. Do not enable this option for untrusted input.\n2. When invoking the `Nokogiri::XML::Schema` constructor, pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off.\n\nSo if your previous code was:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network\n# but in v1.11.0.rc4 and later, this call will disallow network access for external resources\nschema = Nokogiri::XML::Schema.new(schema)\n\n# in v1.11.0.rc4 and later, the following is equivalent to the code above\n# (the second parameter is optional, and this demonstrates its default value)\nschema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)\n```\n\nThen you can add the second parameter to indicate that the input is trusted by changing it to:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this would raise an ArgumentError \n# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network\nschema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)\n```\n\n\n### References\n\n- [This issue's public advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m)\n- [Original Hackerone report (private)](https://hackerone.com/reports/747489)\n- [OWASP description of XXE attack](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)\n- [OWASP description of SSRF attack](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n\n\n### Credit \n\nThis vulnerability was independently reported by @eric-therond and @gucki.\n\nThe Nokogiri maintainers would like to thank [HackerOne](https://hackerone.com/nokogiri) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72466", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72425", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72434", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72451", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72428", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72416", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72377", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72399", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72376", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00717", "scoring_system": "epss", "scoring_elements": "0.72381", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26247" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.6", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m" }, { "reference_url": "https://hackerone.com/reports/747489", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/747489" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26247", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26247" }, { "reference_url": "https://rubygems.org/gems/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubygems.org/gems/nokogiri" }, { "reference_url": "https://security.gentoo.org/glsa/202208-29", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-29" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1912487", "reference_id": "1912487", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1912487" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967", "reference_id": "978967", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967" }, { "reference_url": "https://github.com/advisories/GHSA-vr8q-g5c7-m54m", "reference_id": "GHSA-vr8q-g5c7-m54m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr8q-g5c7-m54m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4702", "reference_id": "RHSA-2021:4702", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4702" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:5191", "reference_id": "RHSA-2021:5191", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:5191" }, { "reference_url": "https://usn.ubuntu.com/7659-1/", "reference_id": "USN-7659-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7659-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938278?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2020-26247", "GHSA-vr8q-g5c7-m54m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vhyk-9tbb-quc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55015?format=api", "vulnerability_id": "VCID-xvhw-5776-s3fr", "summary": "Nokogiri vulnerable to DoS while parsing XML documents\nNokogiri gem has Denial of Service via infinite loop when parsing XML documents", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6460.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6460.json" }, { "reference_url": "https://access.redhat.com/security/cve/cve-2013-6460", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/security/cve/cve-2013-6460" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2013-6460", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.8544", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85416", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.8542", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85421", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85398", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85355", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85374", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85376", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85407", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02521", "scoring_system": "epss", "scoring_elements": "0.85343", "published_at": "2026-04-01T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-6460" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460" }, { "reference_url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90058", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90058" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6460.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6460.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6460", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:M/Au:N/C:N/I:N/A:P" }, { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6460" }, { "reference_url": "https://security-tracker.debian.org/tracker/CVE-2013-6460", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security-tracker.debian.org/tracker/CVE-2013-6460" }, { "reference_url": "https://web.archive.org/web/20200229074427/https://www.securityfocus.com/bid/64513", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20200229074427/https://www.securityfocus.com/bid/64513" }, { "reference_url": "https://web.archive.org/web/20200229074427/https://www.securityfocus.com/bid/64513/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200229074427/https://www.securityfocus.com/bid/64513/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/12/27/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2013/12/27/2" }, { "reference_url": "http://www.securityfocus.com/bid/64513", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/64513" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1046663", "reference_id": "1046663", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1046663" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*" }, { "reference_url": "https://github.com/advisories/GHSA-62qp-3fxm-9wxf", "reference_id": "GHSA-62qp-3fxm-9wxf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-62qp-3fxm-9wxf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938276?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2013-6460", "GHSA-62qp-3fxm-9wxf", "OSV-101179" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xvhw-5776-s3fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52034?format=api", "vulnerability_id": "VCID-zrsc-vqxk-vkgx", "summary": "Nokogiri is vulnerable to XML External Entity (XXE) attack\nNokogiri before 1.5.4 is vulnerable to XXE attacks.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-6685.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-6685.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2012-6685", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.5533", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55393", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55357", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55376", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55397", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55387", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55336", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55355", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00323", "scoring_system": "epss", "scoring_elements": "0.55232", "published_at": "2026-04-01T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2012-6685" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1178970", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1178970" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6685", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6685" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/599856367150709497a3a03bee930bd76504d95d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sparklemotion/nokogiri/commit/599856367150709497a3a03bee930bd76504d95d" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/issues/693", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/issues/693" }, { "reference_url": "https://nokogiri.org/CHANGELOG.html#154-2012-06-12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nokogiri.org/CHANGELOG.html#154-2012-06-12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6685", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6685" }, { "reference_url": "https://github.com/advisories/GHSA-6wj9-77wq-jq7p", "reference_id": "GHSA-6wj9-77wq-jq7p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6wj9-77wq-jq7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938272?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.5.4-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.5.4-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938273?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.11.1%2Bdfsg-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-snr1-kaug-43aa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.11.1%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938271?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.13.10%2Bdfsg-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.13.10%252Bdfsg-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938275?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.18.2%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.18.2%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938274?format=api", "purl": "pkg:deb/debian/ruby-nokogiri@1.19.1%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2012-6685", "GHSA-6wj9-77wq-jq7p", "OSV-90946" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zrsc-vqxk-vkgx" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-nokogiri@1.19.1%252Bdfsg-1%3Fdistro=trixie" }