Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1023062?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1023062?format=api", "purl": "pkg:gem/decidim-comments@0.29.4", "type": "gem", "namespace": "", "name": "decidim-comments", "version": "0.29.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.30.5", "latest_non_vulnerable_version": "0.31.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51270?format=api", "vulnerability_id": "VCID-afrd-7jmp-fqdv", "summary": "Decidim's comments API allows access to all commentable resources\n### Impact\n\nThe root level `commentable` field in the API allows access to all\ncommentable resources within the platform, without any permission\nchecks. All Decidim instances are impacted that have not secured\nthe `/api` endpoint. The `/api` endpoint is publicly available\nwith the default configuration.\n\n### Patches\n\nNot available\n\n### Workarounds\n\nTo mitigate the issue, you can limit the scope to only authenticated\nusers by limiting access to the `/api` endpoint. This would require\ncustom code or installing the 3rd party module `Decidim::Apiauth`.\n\nWith custom code, the `/api` endpoint can be limited to only\nauthenticated users with the following code (needs to run during\napplication initialization):\n\n```ruby\n# Within your application\n# config/initializers/limit_api_access.rb\n\nmodule LimitApiAccess\n extend ActiveSupport::Concern\n\n included do\n prepend_before_action do |controller|\n unless controller.send(:user_signed_in?)\n render plain: I18n.t(\"actions.login_before_access\",\n scope: \"decidim.core\"), status: :unauthorized\n end\n end\n end\nend\n\nRails.application.config.to_prepare do\n Decidim::Api::ApplicationController.include(LimitApiAccess)\nend\n```\n\nPlease note that this would only disable public access to the API\nand all authenticated users would be still able to exploit the\nvulnerability. This may be sufficient for some installations,\nbut not for all.\n\nAnother workaround is to limit the availability of the `/api` endpoint\nto only trusted ranges of IPs that need to access the API. The\nfollowing Nginx configuration would help limiting the API access\nto only specific IPs:\n\n```\nlocation /api {\n allow 192.168.1.100;\n allow 192.168.1.101;\n deny all;\n}\n```\n\nThe same configuration can be also used without the `allow`\nstatements to disable all traffic to the the `/api` endpoint.\n\nWhen considering a workaround and the seriousness of the vulnerability,\nplease consider the nature of the platform. If the platform is primarily\nserving public data, this vulnerability is not serious by its nature.\nIf the platform is protecting some resources, e.g. inside private\nparticipation spaces, the vulnerability may expose some data to\nthe attacker that is not meant public.\n\nIf you have enabled the organization setting \"Force users to\nauthenticate before access organization\", the scope of this\nvulnerability is limited to the users who are allowed to log in\nto the Decidim platform. This setting was introduced in version\n0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14235", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14351", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14354", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14316", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40870" }, { "reference_url": "https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:52:03Z/" } ], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40870", "reference_id": "CVE-2026-40870", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40870" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-api/CVE-2026-40870.yml", "reference_id": "CVE-2026-40870.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-api/CVE-2026-40870.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-comments/CVE-2026-40870.yml", "reference_id": "CVE-2026-40870.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-comments/CVE-2026-40870.yml" }, { "reference_url": "https://github.com/advisories/GHSA-ghmh-q25g-gxxx", "reference_id": "GHSA-ghmh-q25g-gxxx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ghmh-q25g-gxxx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1023074?format=api", "purl": "pkg:gem/decidim-comments@0.30.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/decidim-comments@0.30.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/1023078?format=api", "purl": "pkg:gem/decidim-comments@0.31.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/decidim-comments@0.31.1" } ], "aliases": [ "CVE-2026-40870", "GHSA-ghmh-q25g-gxxx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-afrd-7jmp-fqdv" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/decidim-comments@0.29.4" }