Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-fpqw-za91-efbk
SummaryCinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victim opens the emoji or sticker picker for the room containing a malicious emote pack. This is caused by an incorrect fallback in EmojiBoard that uses untrusted pack.meta.avatar (user-controlled) without converting/validating it as an MXC URL, allowing arbitrary HTTP(S) URLs to be used. Also, the service worker attaching the user's Authorization bearer token to all outbound GET requests whose URL contains /_matrix/client/v1/media/download or /_matrix/client/v1/media/thumbnail without verifying the request host matches the configured homeserver origin. An attacker-controlled URL containing those path fragments and permissive CORS will receive the victim's Authorization header (access token). This vulnerability is fixed in 4.10.3.
Aliases
0
alias CVE-2026-42553
1
alias GHSA-j944-w549-3453
Fixed_packages
Affected_packages
0
url pkg:npm/cinny@4.5.1
purl pkg:npm/cinny@4.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fpqw-za91-efbk
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/cinny@4.5.1
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42553
reference_id
reference_type
scores
0
value 0.00165
scoring_system epss
scoring_elements 0.37518
published_at 2026-06-14T12:55:00Z
1
value 0.00165
scoring_system epss
scoring_elements 0.37531
published_at 2026-06-13T12:55:00Z
2
value 0.00165
scoring_system epss
scoring_elements 0.37508
published_at 2026-06-12T12:55:00Z
3
value 0.00165
scoring_system epss
scoring_elements 0.37331
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42553
1
reference_url https://github.com/cinnyapp/cinny
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cinnyapp/cinny
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42553
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42553
3
reference_url https://github.com/advisories/GHSA-j944-w549-3453
reference_id GHSA-j944-w549-3453
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j944-w549-3453
4
reference_url https://github.com/cinnyapp/cinny/security/advisories/GHSA-j944-w549-3453
reference_id GHSA-j944-w549-3453
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T18:01:29Z/
url https://github.com/cinnyapp/cinny/security/advisories/GHSA-j944-w549-3453
5
reference_url https://github.com/cinnyapp/cinny/releases/tag/v4.10.3
reference_id v4.10.3
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T18:01:29Z/
url https://github.com/cinnyapp/cinny/releases/tag/v4.10.3
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-fpqw-za91-efbk