Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1023807?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1023807?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@2.0.19", "type": "maven", "namespace": "org.thymeleaf", "name": "thymeleaf", "version": "2.0.19", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.1.5.RELEASE", "latest_non_vulnerable_version": "3.1.5.RELEASE", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/62723?format=api", "vulnerability_id": "VCID-3ryv-gwe2-zydg", "summary": "thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40478.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40478.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40478", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17594", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17693", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17687", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17655", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17577", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40478" }, { "reference_url": "https://github.com/thymeleaf/thymeleaf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/thymeleaf/thymeleaf" }, { "reference_url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-20T16:17:04Z/" } ], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40478", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40478" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459349", "reference_id": "2459349", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459349" }, { "reference_url": "https://github.com/advisories/GHSA-xjw8-8c5c-9r79", "reference_id": "GHSA-xjw8-8c5c-9r79", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xjw8-8c5c-9r79" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126219?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@3.1.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/109950?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8hc3-8tdw-yueg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE" } ], "aliases": [ "CVE-2026-40478", "GHSA-xjw8-8c5c-9r79" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ryv-gwe2-zydg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91948?format=api", "vulnerability_id": "VCID-8hc3-8tdw-yueg", "summary": "Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns\n### Impact\n\nA security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI).\n\n### Patches\n\nThis has been fixed in Thymeleaf 3.1.5.RELEASE. All users are advised to upgrade immediately.\n\n### Workarounds\n\nNo workaround is available beyond ensuring applications do not pass unvalidated/unsanitized data directly to the template engine. Upgrading to 3.1.5.RELEASE is strongly recommended in any case.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41901", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27947", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27817", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27811", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27859", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27896", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41901" }, { "reference_url": "https://github.com/thymeleaf/thymeleaf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/thymeleaf/thymeleaf" }, { "reference_url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744", "reference_id": "", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-13T12:07:53Z/" } ], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41901", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41901" }, { "reference_url": "https://github.com/advisories/GHSA-c9ph-gxww-7744", "reference_id": "GHSA-c9ph-gxww-7744", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c9ph-gxww-7744" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126326?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@3.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/114461?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.5.RELEASE" } ], "aliases": [ "CVE-2026-41901", "GHSA-c9ph-gxww-7744" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8hc3-8tdw-yueg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/62724?format=api", "vulnerability_id": "VCID-9r94-dxdk-qkb9", "summary": "thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40477.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40477.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40477", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17594", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17693", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17687", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17655", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17577", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40477" }, { "reference_url": "https://github.com/thymeleaf/thymeleaf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/thymeleaf/thymeleaf" }, { "reference_url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-20T13:23:45Z/" } ], "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40477", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40477" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459344", "reference_id": "2459344", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459344" }, { "reference_url": "https://github.com/advisories/GHSA-r4v4-5mwr-2fwr", "reference_id": "GHSA-r4v4-5mwr-2fwr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r4v4-5mwr-2fwr" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126219?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@3.1.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/109950?format=api", "purl": "pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8hc3-8tdw-yueg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@3.1.4.RELEASE" } ], "aliases": [ "CVE-2026-40477", "GHSA-r4v4-5mwr-2fwr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9r94-dxdk-qkb9" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.thymeleaf/thymeleaf@2.0.19" }