{"url":"http://public2.vulnerablecode.io/api/packages/103805?format=json","purl":"pkg:deb/debian/shellinabox@2.21?distro=trixie","type":"deb","namespace":"debian","name":"shellinabox","version":"2.21","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.21+really2.21-2","latest_non_vulnerable_version":"2.21+really2.21-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/206214?format=json","vulnerability_id":"VCID-xcbd-hjb5-9ycj","summary":"libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16789","reference_id":"","reference_type":"","scores":[{"value":"0.00861","scoring_system":"epss","scoring_elements":"0.75498","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00861","scoring_system":"epss","scoring_elements":"0.75568","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00861","scoring_system":"epss","scoring_elements":"0.75582","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00861","scoring_system":"epss","scoring_elements":"0.75577","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16789"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16789","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16789"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103805?format=json","purl":"pkg:deb/debian/shellinabox@2.21?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shellinabox@2.21%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103807?format=json","purl":"pkg:deb/debian/shellinabox@2.21%2Breally2.21-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shellinabox@2.21%252Breally2.21-2%3Fdistro=trixie"}],"aliases":["CVE-2018-16789"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xcbd-hjb5-9ycj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204131?format=json","vulnerability_id":"VCID-xksh-ksy1-7fg8","summary":"The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8400","reference_id":"","reference_type":"","scores":[{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68618","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68711","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68724","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00556","scoring_system":"epss","scoring_elements":"0.68719","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8400"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8400","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8400"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103806?format=json","purl":"pkg:deb/debian/shellinabox@2.19?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shellinabox@2.19%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103805?format=json","purl":"pkg:deb/debian/shellinabox@2.21?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shellinabox@2.21%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103807?format=json","purl":"pkg:deb/debian/shellinabox@2.21%2Breally2.21-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shellinabox@2.21%252Breally2.21-2%3Fdistro=trixie"}],"aliases":["CVE-2015-8400"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xksh-ksy1-7fg8"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shellinabox@2.21%3Fdistro=trixie"}