VulnerableCode Package Details - pkg:pypi/fava@1.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-3bav-gxx4-uyes Aliases: CVE-2022-2523 GHSA-q8hg-3vqv-f8v3 PYSEC-2022-240	Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.	1.22.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qbg1-taye-bqee Aliases: CVE-2022-2589 GHSA-6hcj-qrw3-m66q PYSEC-2022-246	Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3.	1.22.3 Affected by 0 other vulnerabilities.
VCID-rzyx-kfhm-ryaz Aliases: CVE-2022-2514 GHSA-xrf4-39fm-j5f2 PYSEC-2022-239 PYSEC-2022-43182	The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.	1.22.0 Affected by 0 other vulnerabilities. 1.22 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3bav-gxx4-uyes
Aliases:
CVE-2022-2523
GHSA-q8hg-3vqv-f8v3
PYSEC-2022-240

Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.

1.22.2
Affected by 1 other vulnerability.

VCID-qbg1-taye-bqee
Aliases:
CVE-2022-2589
GHSA-6hcj-qrw3-m66q
PYSEC-2022-246

Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3.

1.22.3
Affected by 0 other vulnerabilities.

VCID-rzyx-kfhm-ryaz
Aliases:
CVE-2022-2514
GHSA-xrf4-39fm-j5f2
PYSEC-2022-239
PYSEC-2022-43182

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.

1.22.0
Affected by 0 other vulnerabilities.

1.22
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T18:29:16.413374+00:00	GitLab Importer	Affected by	VCID-qbg1-taye-bqee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/fava/CVE-2022-2589.yml	38.6.0
2026-06-12T18:28:42.185377+00:00	GitLab Importer	Affected by	VCID-rzyx-kfhm-ryaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/fava/CVE-2022-2514.yml	38.6.0
2026-06-12T18:28:35.342553+00:00	GitLab Importer	Affected by	VCID-3bav-gxx4-uyes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/fava/CVE-2022-2523.yml	38.6.0
2026-06-12T04:15:12.575741+00:00	Pypa Importer	Affected by	VCID-qbg1-taye-bqee	https://github.com/pypa/advisory-database/blob/main/vulns/fava/PYSEC-2022-246.yaml	38.6.0
2026-06-12T04:15:12.185541+00:00	Pypa Importer	Affected by	VCID-rzyx-kfhm-ryaz	https://github.com/pypa/advisory-database/blob/main/vulns/fava/PYSEC-2022-239.yaml	38.6.0
2026-06-12T04:15:12.074231+00:00	Pypa Importer	Affected by	VCID-3bav-gxx4-uyes	https://github.com/pypa/advisory-database/blob/main/vulns/fava/PYSEC-2022-240.yaml	38.6.0
2026-06-11T20:58:12.775170+00:00	PyPI Importer	Affected by	VCID-qbg1-taye-bqee	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-11T20:58:08.389426+00:00	PyPI Importer	Affected by	VCID-rzyx-kfhm-ryaz	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-11T20:58:07.904909+00:00	PyPI Importer	Affected by	VCID-3bav-gxx4-uyes	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0