Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/73149?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73149?format=api", "vulnerability_id": "VCID-n8tm-snsu-53bn", "summary": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.", "aliases": [ { "alias": "CVE-2026-39350" }, { "alias": "GHSA-9gcg-w975-3rjh" } ], "fixed_packages": [], "affected_packages": [], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39350.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39350.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39350", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01584", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0157", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01576", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01573", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39350" }, { "reference_url": "https://github.com/istio/istio", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/istio/istio" }, { "reference_url": "https://github.com/istio/istio/commit/692e460c342d8f308a35b6ecbdace47807da8ade", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/istio/istio/commit/692e460c342d8f308a35b6ecbdace47807da8ade" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39350", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39350" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458851", "reference_id": "2458851", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458851" }, { "reference_url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh", "reference_id": "GHSA-9gcg-w975-3rjh", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T11:13:51Z/" } ], "url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh" } ], "weaknesses": [ { "cwe_id": 185, "name": "Incorrect Regular Expression", "description": "The product specifies a regular expression in a way that causes data to be improperly matched or compared." }, { "cwe_id": 863, "name": "Incorrect Authorization", "description": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions." }, { "cwe_id": 625, "name": "Permissive Regular Expression", "description": "The product uses a regular expression that does not sufficiently restrict the set of allowed values." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n8tm-snsu-53bn" }