Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/50074?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50074?format=api", "vulnerability_id": "VCID-vvhc-rnpr-ubey", "summary": "Craft CMS Vulnerable to Stored XSS in Entry Types Name\nStored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.\n\n---", "aliases": [ { "alias": "CVE-2026-25491" }, { "alias": "GHSA-7pr4-wx9w-mqwr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73946?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73168?format=api", "purl": "pkg:composer/craftcms/cms@5.0.0-RC1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1468-4fdx-kbfr" }, { "vulnerability": "VCID-1mb5-28xp-ckd2" }, { "vulnerability": "VCID-39ct-cg7w-kyb6" }, { "vulnerability": "VCID-4wkr-jx1w-77hn" }, { "vulnerability": "VCID-5cxe-tjpb-3qan" }, { "vulnerability": "VCID-5mnd-qvaq-k3am" }, { "vulnerability": "VCID-5q5g-jrxm-eyhe" }, { "vulnerability": "VCID-71sv-62m4-z3er" }, { "vulnerability": "VCID-7y4f-ef7t-47eb" }, { "vulnerability": "VCID-8u2j-17a4-q7eh" }, { "vulnerability": "VCID-9enr-b6zd-mbh8" }, { "vulnerability": "VCID-a3b5-pwyh-yugv" }, { "vulnerability": "VCID-akrv-yqnf-1kg8" }, { "vulnerability": "VCID-azr5-12f8-hfbm" }, { "vulnerability": "VCID-c2nk-y4rx-1qf4" }, { "vulnerability": "VCID-cys8-jnmu-77ec" }, { "vulnerability": "VCID-esma-wxje-eqh3" }, { "vulnerability": "VCID-fpea-e48p-kfbn" }, { "vulnerability": "VCID-h6t5-pdp5-8qhe" }, { "vulnerability": "VCID-hkp9-3hzv-quhk" }, { "vulnerability": "VCID-hyct-5gap-7kdu" }, { "vulnerability": "VCID-jeyh-3jxd-z3g6" }, { "vulnerability": "VCID-jsfs-azcs-mfcm" }, { "vulnerability": "VCID-jxz8-g6fq-dubw" }, { "vulnerability": "VCID-kbrc-85av-nfcn" }, { "vulnerability": "VCID-m5rf-usae-yfb7" }, { "vulnerability": "VCID-pgm4-svq8-tfc5" }, { "vulnerability": "VCID-ppet-ruae-1kav" }, { "vulnerability": "VCID-qq68-3j4y-47am" }, { "vulnerability": "VCID-qywv-vf4r-8bh9" }, { "vulnerability": "VCID-r5hp-5nju-9ubz" }, { "vulnerability": "VCID-rb7c-3nkc-gkeg" }, { "vulnerability": "VCID-twuy-wzb7-k7g3" }, { "vulnerability": "VCID-vasz-rnn1-67ev" }, { "vulnerability": "VCID-vvhc-rnpr-ubey" }, { "vulnerability": "VCID-w9yn-1573-hyau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1" } ], "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25491", "reference_id": "CVE-2026-25491", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25491" }, { "reference_url": "https://github.com/advisories/GHSA-7pr4-wx9w-mqwr", "reference_id": "GHSA-7pr4-wx9w-mqwr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7pr4-wx9w-mqwr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr", "reference_id": "GHSA-7pr4-wx9w-mqwr", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr" } ], "weaknesses": [ { "cwe_id": 79, "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "description": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "0.1 - 3", "exploitability": "0.5", "weighted_severity": "2.7", "risk_score": 1.4, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vvhc-rnpr-ubey" }