Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/996182?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/996182?format=api", "purl": "pkg:npm/%40budibase/backend-core@1.0.135", "type": "npm", "namespace": "@budibase", "name": "backend-core", "version": "1.0.135", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.35.10", "latest_non_vulnerable_version": "3.38.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70368?format=api", "vulnerability_id": "VCID-26sa-d3pj-qugz", "summary": "Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42239", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12405", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12385", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12307", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12397", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42239" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42239", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42239" }, { "reference_url": "https://github.com/Budibase/budibase/releases/tag/3.35.10", "reference_id": "3.35.10", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T19:39:21Z/" } ], "url": "https://github.com/Budibase/budibase/releases/tag/3.35.10" }, { "reference_url": "https://github.com/advisories/GHSA-4f9j-vr4p-642r", "reference_id": "GHSA-4f9j-vr4p-642r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4f9j-vr4p-642r" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r", "reference_id": "GHSA-4f9j-vr4p-642r", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T19:39:21Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374269?format=api", "purl": "pkg:npm/%40budibase/backend-core@3.35.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/backend-core@3.35.10" } ], "aliases": [ "CVE-2026-42239", "GHSA-4f9j-vr4p-642r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-26sa-d3pj-qugz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71475?format=api", "vulnerability_id": "VCID-pqcu-pgng-9qhh", "summary": "Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31818", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03741", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03763", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0376", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0375", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31818" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31818", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31818" }, { "reference_url": "https://github.com/Budibase/budibase/pull/18236", "reference_id": "18236", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/" } ], "url": "https://github.com/Budibase/budibase/pull/18236" }, { "reference_url": "https://github.com/Budibase/budibase/releases/tag/3.33.4", "reference_id": "3.33.4", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/" } ], "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4" }, { "reference_url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732", "reference_id": "5b0fe83d4ece52696b62589cba89ef50cc009732", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/" } ], "url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732" }, { "reference_url": "https://github.com/advisories/GHSA-7r9j-r86q-7g45", "reference_id": "GHSA-7r9j-r86q-7g45", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7r9j-r86q-7g45" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45", "reference_id": "GHSA-7r9j-r86q-7g45", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T20:04:22Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374237?format=api", "purl": "pkg:npm/%40budibase/backend-core@3.33.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-26sa-d3pj-qugz" }, { "vulnerability": "VCID-t9dz-y65b-yubn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/backend-core@3.33.4" } ], "aliases": [ "CVE-2026-31818", "GHSA-7r9j-r86q-7g45" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pqcu-pgng-9qhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80796?format=api", "vulnerability_id": "VCID-t9dz-y65b-yubn", "summary": "Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query parameter. For example, POST /api/global/users/search?x=/api/system/status bypasses all authentication because the regex /api/system/status/ matches in the query string portion of the URL. This vulnerability is fixed in 3.35.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41428", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28032", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27815", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.2804", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28013", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41428" }, { "reference_url": "https://github.com/Budibase/budibase", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Budibase/budibase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41428", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41428" }, { "reference_url": "https://github.com/advisories/GHSA-8783-3wgf-jggf", "reference_id": "GHSA-8783-3wgf-jggf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8783-3wgf-jggf" }, { "reference_url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf", "reference_id": "GHSA-8783-3wgf-jggf", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T20:00:28Z/" } ], "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-8783-3wgf-jggf" } ], "fixed_packages": [], "aliases": [ "CVE-2026-41428", "GHSA-8783-3wgf-jggf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t9dz-y65b-yubn" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540budibase/backend-core@1.0.135" }