VulnerableCode Package Details - pkg:npm/swagger-ui@2.2.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3hsn-22rw-7kay	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.	CVE-2016-5682 GHSA-p239-93f7-h6xf
VCID-5918-w4jq-rka8	XSS in Consumes/Produces Parameter Swagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data. Swagger-UI version 2.1.4 contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger json document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`. To exploit the vulnerability, an attacker would convince a user to visit a malicious url crafted in the following format: ``` http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json ```` This issue is being disclosed before a public patched release is available due to the issue being made public in a Github issue.	CVE-2016-1000226 GHSA-7f59-x49p-v8mq GMS-2020-783
VCID-fc6y-84x3-8bgu	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.	GHSA-vp93-gcx5-4w52 GMS-2020-786
VCID-hvuf-t6m7-fuhh	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.	GHSA-w992-2gmj-9xxj GMS-2020-787
VCID-mjr2-z5x4-e3bs	Cross-Site Scripting in swagger-ui Affected versions of `swagger-ui` are vulnerable to cross-site scripting via the `url` query string parameter. ## Recommendation Update to 2.2.1 or later.	GHSA-g336-c7wv-8hp3 GMS-2020-784
VCID-r28p-re5d-uya7	XSS via Content-type header By using a malicious server which returns script as the value of the Content-Type header, it is possible to execute arbitrary code using the demonstration capabilities of Swagger-UI.	CVE-2016-1000233 GHSA-mrx7-8hxf-f853 GMS-2020-785
VCID-sp5n-ncjd-rkft	XSS in key names Swagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data. Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: ``` .definitions.<USER_DEFINED>.properties.<INJECTABLE_KEY_NAME> ``` Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the `URL` query-string parameter. This advisory is being disclosed before a public patched release is available because of a public Github issue documenting the vulnerability.	CVE-2016-1000229 GHSA-h8wp-wgcq-qhrf
VCID-znja-a329-yyh9	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.	GHSA-22q9-hqm5-mhmc GMS-2020-780

Vulnerability

Summary

Aliases

VCID-3hsn-22rw-7kay

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.

CVE-2016-5682
GHSA-p239-93f7-h6xf

VCID-5918-w4jq-rka8

XSS in Consumes/Produces Parameter Swagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data. Swagger-UI version 2.1.4 contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger json document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`. To exploit the vulnerability, an attacker would convince a user to visit a malicious url crafted in the following format: ``` http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json ```` This issue is being disclosed before a public patched release is available due to the issue being made public in a Github issue.

CVE-2016-1000226
GHSA-7f59-x49p-v8mq
GMS-2020-783

VCID-fc6y-84x3-8bgu

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

GHSA-vp93-gcx5-4w52
GMS-2020-786

VCID-hvuf-t6m7-fuhh

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

GHSA-w992-2gmj-9xxj
GMS-2020-787

VCID-mjr2-z5x4-e3bs

Cross-Site Scripting in swagger-ui Affected versions of `swagger-ui` are vulnerable to cross-site scripting via the `url` query string parameter. ## Recommendation Update to 2.2.1 or later.

GHSA-g336-c7wv-8hp3
GMS-2020-784

VCID-r28p-re5d-uya7

XSS via Content-type header By using a malicious server which returns script as the value of the Content-Type header, it is possible to execute arbitrary code using the demonstration capabilities of Swagger-UI.

CVE-2016-1000233
GHSA-mrx7-8hxf-f853
GMS-2020-785

VCID-sp5n-ncjd-rkft

XSS in key names Swagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data. Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: ``` .definitions.<USER_DEFINED>.properties.<INJECTABLE_KEY_NAME> ``` Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the `URL` query-string parameter. This advisory is being disclosed before a public patched release is available because of a public Github issue documenting the vulnerability.

CVE-2016-1000229
GHSA-h8wp-wgcq-qhrf

VCID-znja-a329-yyh9

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

GHSA-22q9-hqm5-mhmc
GMS-2020-780

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:03:10.110419+00:00	GithubOSV Importer	Fixing	VCID-sp5n-ncjd-rkft	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h8wp-wgcq-qhrf/GHSA-h8wp-wgcq-qhrf.json	38.6.0
2026-06-04T17:22:30.716235+00:00	GithubOSV Importer	Fixing	VCID-fc6y-84x3-8bgu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-vp93-gcx5-4w52/GHSA-vp93-gcx5-4w52.json	38.6.0
2026-06-04T17:22:06.408119+00:00	GithubOSV Importer	Fixing	VCID-znja-a329-yyh9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-22q9-hqm5-mhmc/GHSA-22q9-hqm5-mhmc.json	38.6.0
2026-06-04T17:22:02.442146+00:00	GithubOSV Importer	Fixing	VCID-hvuf-t6m7-fuhh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w992-2gmj-9xxj/GHSA-w992-2gmj-9xxj.json	38.6.0
2026-06-04T17:21:56.670524+00:00	GithubOSV Importer	Fixing	VCID-3hsn-22rw-7kay	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p239-93f7-h6xf/GHSA-p239-93f7-h6xf.json	38.6.0
2026-06-04T17:21:52.019567+00:00	GithubOSV Importer	Fixing	VCID-mjr2-z5x4-e3bs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g336-c7wv-8hp3/GHSA-g336-c7wv-8hp3.json	38.6.0
2026-06-04T17:21:46.292020+00:00	GithubOSV Importer	Fixing	VCID-r28p-re5d-uya7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mrx7-8hxf-f853/GHSA-mrx7-8hxf-f853.json	38.6.0
2026-06-04T17:21:40.018186+00:00	GithubOSV Importer	Fixing	VCID-5918-w4jq-rka8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-7f59-x49p-v8mq/GHSA-7f59-x49p-v8mq.json	38.6.0
2026-06-04T16:20:24.535837+00:00	GitLab Importer	Fixing	VCID-fc6y-84x3-8bgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/GMS-2020-786.yml	38.6.0
2026-06-04T16:20:24.513937+00:00	GitLab Importer	Fixing	VCID-znja-a329-yyh9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/GMS-2020-780.yml	38.6.0
2026-06-04T16:20:24.306357+00:00	GitLab Importer	Fixing	VCID-hvuf-t6m7-fuhh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/GMS-2020-787.yml	38.6.0
2026-06-04T16:20:14.360624+00:00	GitLab Importer	Fixing	VCID-3hsn-22rw-7kay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/CVE-2016-5682.yml	38.6.0
2026-06-04T16:20:13.099661+00:00	GitLab Importer	Fixing	VCID-5918-w4jq-rka8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/GMS-2020-783.yml	38.6.0
2026-06-04T16:20:12.972528+00:00	GitLab Importer	Fixing	VCID-mjr2-z5x4-e3bs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/GMS-2020-784.yml	38.6.0
2026-06-04T16:20:12.381310+00:00	GitLab Importer	Fixing	VCID-r28p-re5d-uya7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/swagger-ui/GMS-2020-785.yml	38.6.0
2026-06-02T03:45:03.189487+00:00	Npm Importer	Fixing	VCID-sp5n-ncjd-rkft	https://github.com/nodejs/security-wg/blob/main/vuln/npm/126.json	38.6.0