GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/90139?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90139?format=api",
    "vulnerability_id": "VCID-saa6-yufp-kbfu",
    "summary": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.",
    "aliases": [
        {
            "alias": "CVE-2025-30018"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [],
    "references": [
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30018",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "0.00365",
                    "scoring_system": "epss",
                    "scoring_elements": "0.59063",
                    "published_at": "2026-06-13T12:55:00Z"
                },
                {
                    "value": "0.00365",
                    "scoring_system": "epss",
                    "scoring_elements": "0.5894",
                    "published_at": "2026-06-11T12:55:00Z"
                },
                {
                    "value": "0.00365",
                    "scoring_system": "epss",
                    "scoring_elements": "0.59052",
                    "published_at": "2026-06-12T12:55:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30018"
        },
        {
            "reference_url": "https://me.sap.com/notes/3578900",
            "reference_id": "3578900",
            "reference_type": "",
            "scores": [
                {
                    "value": "8.6",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T14:09:46Z/"
                }
            ],
            "url": "https://me.sap.com/notes/3578900"
        },
        {
            "reference_url": "https://url.sap/sapsecuritypatchday",
            "reference_id": "sapsecuritypatchday",
            "reference_type": "",
            "scores": [
                {
                    "value": "8.6",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T14:09:46Z/"
                }
            ],
            "url": "https://url.sap/sapsecuritypatchday"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 611,
            "name": "Improper Restriction of XML External Entity Reference",
            "description": "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output."
        }
    ],
    "exploits": [],
    "severity_range_score": "8.6 - 8.6",
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-saa6-yufp-kbfu"
}