Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/994704?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/994704?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2", "type": "deb", "namespace": "debian", "name": "wolfssl", "version": "5.9.0-0.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.9.1-0.1", "latest_non_vulnerable_version": "5.9.1-0.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/351433?format=api", "vulnerability_id": "VCID-4zyq-af27-yqa4", "summary": "A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer without a bounds check, which could cause a crash.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5772", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12744", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12782", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12697", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14298", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14379", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14353", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14282", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14351", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5772" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5772", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5772" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/10119", "reference_id": "10119", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:52:51Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/10119" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835", "reference_id": "1133835", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076509?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1" } ], "aliases": [ "CVE-2026-5772" ], "risk_score": 0.9, "exploitability": "0.5", "weighted_severity": "1.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4zyq-af27-yqa4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/351432?format=api", "vulnerability_id": "VCID-9jb1-k32z-w7gw", "summary": "When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5507", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03696", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03718", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0367", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05945", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05713", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.059", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05935", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05723", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05868", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5507" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5507", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5507" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/10088", "reference_id": "10088", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:38:30Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/10088" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835", "reference_id": "1133835", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076509?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1" } ], "aliases": [ "CVE-2026-5507" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jb1-k32z-w7gw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/351424?format=api", "vulnerability_id": "VCID-jvnf-vh29-ufdh", "summary": "A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5460", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12885", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1292", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12839", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.172", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17283", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.1726", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17335", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17343", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17377", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5460" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5460", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5460" }, { "reference_url": "https://github.com/wolfssl/wolfssl/pull/10092", "reference_id": "10092", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:51:11Z/" } ], "url": "https://github.com/wolfssl/wolfssl/pull/10092" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835", "reference_id": "1133835", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076509?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1" } ], "aliases": [ "CVE-2026-5460" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jvnf-vh29-ufdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/351418?format=api", "vulnerability_id": "VCID-nqhj-d7uw-43hd", "summary": "Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.40079", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.40116", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.40059", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47323", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47367", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47376", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47435", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47429", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.4738", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5264" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5264", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5264" }, { "reference_url": "https://github.com/wolfssl/wolfssl/pull/10076", "reference_id": "10076", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-10T13:55:34Z/" } ], "url": "https://github.com/wolfssl/wolfssl/pull/10076" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835", "reference_id": "1133835", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076509?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1" } ], "aliases": [ "CVE-2026-5264" ], "risk_score": 3.8, "exploitability": "0.5", "weighted_severity": "7.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nqhj-d7uw-43hd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/351419?format=api", "vulnerability_id": "VCID-srmp-3tvp-9uhv", "summary": "A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb().", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5295", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03765", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03785", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03738", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05408", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05173", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05367", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0541", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05178", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05332", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-5295" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5295", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5295" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/10116", "reference_id": "10116", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:32:50Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/10116" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835", "reference_id": "1133835", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133835" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1076509?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1" } ], "aliases": [ "CVE-2026-5295" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-srmp-3tvp-9uhv" } ], "fixing_vulnerabilities": [], "risk_score": "3.8", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2" }