Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1028669?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1028669?format=api", "purl": "pkg:maven/org.omnifaces/omnifaces@3.8", "type": "maven", "namespace": "org.omnifaces", "name": "omnifaces", "version": "3.8", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.14.16", "latest_non_vulnerable_version": "5.2.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89196?format=api", "vulnerability_id": "VCID-83jc-pd7p-nbgv", "summary": "OmniFaces: EL injection via crafted resource name in wildcard CDN mapping\n### Impact\n\nServer-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request\nURL containing an EL expression in the resource name, which is evaluated server-side.\n\nThe severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.\n\nApplications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected.\n\n### Patches\n\nFixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.\n\n### Workarounds\n\nReplace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:\n```\nlibraryName:*=https://cdn.example.com/*\n```\nwith individual entries:\n```\nlibraryName:resource1.js=https://cdn.example.com/resource1.js,\nlibraryName:resource2.js=https://cdn.example.com/resource2.js\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56433", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.5641", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56427", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56439", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00363", "scoring_system": "epss", "scoring_elements": "0.58679", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41883" }, { "reference_url": "https://github.com/omnifaces/omnifaces", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omnifaces/omnifaces" }, { "reference_url": "https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-08T19:39:20Z/" } ], "url": "https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41883", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41883" }, { "reference_url": "https://github.com/advisories/GHSA-vp6r-9m58-5xv8", "reference_id": "GHSA-vp6r-9m58-5xv8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vp6r-9m58-5xv8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110235?format=api", "purl": "pkg:maven/org.omnifaces/omnifaces@3.14.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.omnifaces/omnifaces@3.14.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/110236?format=api", "purl": "pkg:maven/org.omnifaces/omnifaces@4.7.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.omnifaces/omnifaces@4.7.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/110237?format=api", "purl": "pkg:maven/org.omnifaces/omnifaces@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.omnifaces/omnifaces@5.2.3" } ], "aliases": [ "CVE-2026-41883", "GHSA-vp6r-9m58-5xv8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-83jc-pd7p-nbgv" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.omnifaces/omnifaces@3.8" }