Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/october/rain@3.5.2
Typecomposer
Namespaceoctober
Namerain
Version3.5.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.7.16
Latest_non_vulnerable_version4.1.10
Affected_by_vulnerabilities
0
url VCID-2emz-xbhv-d7e6
vulnerability_id VCID-2emz-xbhv-d7e6
summary October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22692
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.05146
published_at 2026-06-12T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.05127
published_at 2026-06-14T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.05135
published_at 2026-06-11T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.05136
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22692
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22692
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22692
3
reference_url https://github.com/advisories/GHSA-m5qg-jc75-4jp6
reference_id GHSA-m5qg-jc75-4jp6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m5qg-jc75-4jp6
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6
reference_id GHSA-m5qg-jc75-4jp6
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:42:23Z/
url https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6
fixed_packages
0
url pkg:composer/october/rain@3.7.13
purl pkg:composer/october/rain@3.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-htv5-4uyf-e7bv
1
vulnerability VCID-z4xx-uev9-s7dn
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.13
1
url pkg:composer/october/rain@4.1.5
purl pkg:composer/october/rain@4.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-htv5-4uyf-e7bv
1
vulnerability VCID-z4xx-uev9-s7dn
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.5
aliases CVE-2026-22692, GHSA-m5qg-jc75-4jp6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2emz-xbhv-d7e6
1
url VCID-htv5-4uyf-e7bv
vulnerability_id VCID-htv5-4uyf-e7bv
summary October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25133
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.0094
published_at 2026-06-13T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.00943
published_at 2026-06-14T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00934
published_at 2026-06-11T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.00932
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25133
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25133
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25133
3
reference_url https://github.com/advisories/GHSA-gcqv-f29m-67gr
reference_id GHSA-gcqv-f29m-67gr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gcqv-f29m-67gr
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr
reference_id GHSA-gcqv-f29m-67gr
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:47:21Z/
url https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr
fixed_packages
0
url pkg:composer/october/rain@3.7.14
purl pkg:composer/october/rain@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14
1
url pkg:composer/october/rain@3.7.16
purl pkg:composer/october/rain@3.7.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16
2
url pkg:composer/october/rain@4.1.10
purl pkg:composer/october/rain@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10
aliases CVE-2026-25133, GHSA-gcqv-f29m-67gr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-htv5-4uyf-e7bv
2
url VCID-z4xx-uev9-s7dn
vulnerability_id VCID-z4xx-uev9-s7dn
summary October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25125
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0279
published_at 2026-06-14T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02788
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.0278
published_at 2026-06-13T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02796
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25125
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25125
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25125
3
reference_url https://github.com/advisories/GHSA-g6v3-wv4j-x9hg
reference_id GHSA-g6v3-wv4j-x9hg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g6v3-wv4j-x9hg
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
reference_id GHSA-g6v3-wv4j-x9hg
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:24:59Z/
url https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
fixed_packages
0
url pkg:composer/october/rain@3.7.14
purl pkg:composer/october/rain@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14
1
url pkg:composer/october/rain@3.7.16
purl pkg:composer/october/rain@3.7.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16
2
url pkg:composer/october/rain@4.1.10
purl pkg:composer/october/rain@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10
aliases CVE-2026-25125, GHSA-g6v3-wv4j-x9hg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z4xx-uev9-s7dn
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.5.2