Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1025738?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1025738?format=api", "purl": "pkg:npm/%40nocobase/database@0.5.0-alpha.10", "type": "npm", "namespace": "@nocobase", "name": "database", "version": "0.5.0-alpha.10", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.39", "latest_non_vulnerable_version": "2.0.39", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81067?format=api", "vulnerability_id": "VCID-vs3k-5ue5-9yh3", "summary": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41640", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05498", "scoring_system": "epss", "scoring_elements": "0.9043", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.05498", "scoring_system": "epss", "scoring_elements": "0.90469", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.05498", "scoring_system": "epss", "scoring_elements": "0.9046", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41640" }, { "reference_url": "https://github.com/nocobase/nocobase", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nocobase/nocobase" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41640", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41640" }, { "reference_url": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604", "reference_id": "202e2b8efe44ba90adbf1087f6f70881ff947604", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/" } ], "url": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604" }, { "reference_url": "https://github.com/nocobase/nocobase/pull/9133", "reference_id": "9133", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/" } ], "url": "https://github.com/nocobase/nocobase/pull/9133" }, { "reference_url": "https://github.com/advisories/GHSA-4948-f92q-f432", "reference_id": "GHSA-4948-f92q-f432", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4948-f92q-f432" }, { "reference_url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432", "reference_id": "GHSA-4948-f92q-f432", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/" } ], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432" }, { "reference_url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39", "reference_id": "v2.0.39", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/" } ], "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373914?format=api", "purl": "pkg:npm/%40nocobase/database@2.0.39", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/database@2.0.39" } ], "aliases": [ "CVE-2026-41640", "GHSA-4948-f92q-f432" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vs3k-5ue5-9yh3" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/database@0.5.0-alpha.10" }