Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/98734?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/98734?format=api", "purl": "pkg:rpm/redhat/python3.11-pluggy@1.6.0-1?arch=el8ap", "type": "rpm", "namespace": "redhat", "name": "python3.11-pluggy", "version": "1.6.0-1", "qualifiers": { "arch": "el8ap" }, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74968?format=api", "vulnerability_id": "VCID-7bhx-hdfm-rudm", "summary": "event-driven-ansible: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9907.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9907.json" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392834", "reference_id": "2392834", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392834" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19201", "reference_id": "RHSA-2025:19201", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19201" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19221", "reference_id": "RHSA-2025:19221", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19221" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" } ], "fixed_packages": [], "aliases": [ "CVE-2025-9907" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "6.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7bhx-hdfm-rudm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58171?format=api", "vulnerability_id": "VCID-axy8-kmka-pugw", "summary": "Axios is vulnerable to DoS attack through lack of data size check\nWhen Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response.\nThis path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58754.json" }, { "reference_url": "https://github.com/axios/axios", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios" }, { "reference_url": "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593" }, { "reference_url": "https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/commit/a1b1d3f073a988601583a604f5f9f5d05a3d0b67" }, { "reference_url": "https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/commit/c30252f685e8f4326722de84923fcbc8cf557f06" }, { "reference_url": "https://github.com/axios/axios/pull/7011", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/pull/7011" }, { "reference_url": "https://github.com/axios/axios/pull/7034", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/pull/7034" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v0.30.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/releases/tag/v0.30.2" }, { "reference_url": "https://github.com/axios/axios/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/releases/tag/v1.12.0" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963", "reference_id": "1114963", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394735", "reference_id": "2394735", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394735" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58754", "reference_id": "CVE-2025-58754", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58754" }, { "reference_url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj", "reference_id": "GHSA-4hjh-wcwx-xvwj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj" }, { "reference_url": "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj", "reference_id": "GHSA-4hjh-wcwx-xvwj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:16747", "reference_id": "RHSA-2025:16747", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:16747" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:18252", "reference_id": "RHSA-2025:18252", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:18252" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19221", "reference_id": "RHSA-2025:19221", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19221" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19335", "reference_id": "RHSA-2025:19335", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19335" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19375", "reference_id": "RHSA-2025:19375", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19375" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19529", "reference_id": "RHSA-2025:19529", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19529" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19804", "reference_id": "RHSA-2025:19804", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19961", "reference_id": "RHSA-2025:19961", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19961" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22684", "reference_id": "RHSA-2025:22684", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22684" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22759", "reference_id": "RHSA-2025:22759", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22759" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23546", "reference_id": "RHSA-2025:23546", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23546" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0627", "reference_id": "RHSA-2026:0627", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0627" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0718", "reference_id": "RHSA-2026:0718", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0718" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1018", "reference_id": "RHSA-2026:1018", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1018" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1942", "reference_id": "RHSA-2026:1942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215", "reference_id": "RHSA-2026:4215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4215" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6226", "reference_id": "RHSA-2026:6226", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6226" } ], "fixed_packages": [], "aliases": [ "CVE-2025-58754", "GHSA-4hjh-wcwx-xvwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-axy8-kmka-pugw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75017?format=api", "vulnerability_id": "VCID-ce2x-fyuu-tqhk", "summary": "aap-gateway: Improper Path Validation in Gateway Allows Credential Exfiltration", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9909.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9909.json" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392836", "reference_id": "2392836", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392836" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21768", "reference_id": "RHSA-2025:21768", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21768" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21775", "reference_id": "RHSA-2025:21775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" } ], "fixed_packages": [], "aliases": [ "CVE-2025-9909" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "6.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ce2x-fyuu-tqhk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71184?format=api", "vulnerability_id": "VCID-cwjz-fga9-tubz", "summary": "quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59530.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59530.json" }, { "reference_url": "https://github.com/quic-go/quic-go", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quic-go/quic-go" }, { "reference_url": "https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685" }, { "reference_url": "https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c" }, { "reference_url": "https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42" }, { "reference_url": "https://github.com/quic-go/quic-go/pull/5354", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quic-go/quic-go/pull/5354" }, { "reference_url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59530", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59530" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2025-4017", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pkg.go.dev/vuln/GO-2025-4017" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403125", "reference_id": "2403125", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403125" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21706", "reference_id": "RHSA-2025:21706", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21706" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21768", "reference_id": "RHSA-2025:21768", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21768" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21775", "reference_id": "RHSA-2025:21775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21892", "reference_id": "RHSA-2025:21892", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21892" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22784", "reference_id": "RHSA-2025:22784", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22784" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" } ], "fixed_packages": [], "aliases": [ "CVE-2025-59530", "GHSA-47m2-4cr7-mhcw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cwjz-fga9-tubz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74992?format=api", "vulnerability_id": "VCID-kbwv-w739-eqes", "summary": "event-driven-ansible: Sensitive Internal Headers Disclosure in AAP EDA Event Streams", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9908.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9908.json" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392835", "reference_id": "2392835", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392835" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19201", "reference_id": "RHSA-2025:19201", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19201" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19221", "reference_id": "RHSA-2025:19221", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19221" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" } ], "fixed_packages": [], "aliases": [ "CVE-2025-9908" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "6.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kbwv-w739-eqes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37141?format=api", "vulnerability_id": "VCID-whgc-pt2s-77ar", "summary": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.djangoproject.com/en/dev/releases/security" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/django/django", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/django/django" }, { "reference_url": "https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85" }, { "reference_url": "https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4" }, { "reference_url": "https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b" }, { "reference_url": "https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241" }, { "reference_url": "https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed" }, { "reference_url": "https://groups.google.com/g/django-announce", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/django-announce" }, { "reference_url": "https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html" }, { "reference_url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases" }, { "reference_url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139", "reference_id": "1120139", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2412651", "reference_id": "2412651", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2412651" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py", "reference_id": "CVE-2025-64459", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64459", "reference_id": "CVE-2025-64459", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64459" }, { "reference_url": "https://github.com/advisories/GHSA-frmv-pr5f-9mcr", "reference_id": "GHSA-frmv-pr5f-9mcr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-frmv-pr5f-9mcr" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23069", "reference_id": "RHSA-2025:23069", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23069" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23070", "reference_id": "RHSA-2025:23070", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23070" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23130", "reference_id": "RHSA-2025:23130", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23130" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23131", "reference_id": "RHSA-2025:23131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23131" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23133", "reference_id": "RHSA-2025:23133", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23133" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23196", "reference_id": "RHSA-2025:23196", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23196" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1596", "reference_id": "RHSA-2026:1596", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1596" } ], "fixed_packages": [], "aliases": [ "CVE-2025-64459", "GHSA-frmv-pr5f-9mcr", "PYSEC-2025-108" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-whgc-pt2s-77ar" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/python3.11-pluggy@1.6.0-1%3Farch=el8ap" }