Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/flightphp/core@3.10.0
Typecomposer
Namespaceflightphp
Namecore
Version3.10.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.18.1
Latest_non_vulnerable_version3.18.1
Affected_by_vulnerabilities
0
url VCID-659r-qjhf-g7df
vulnerability_id VCID-659r-qjhf-g7df
summary Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys. This vulnerability is fixed in 3.18.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42550
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05595
published_at 2026-06-13T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05574
published_at 2026-06-11T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05602
published_at 2026-06-12T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.06513
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42550
1
reference_url https://github.com/flightphp/core
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core
2
reference_url https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
3
reference_url https://github.com/flightphp/core/releases/tag/v3.18.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core/releases/tag/v3.18.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42550
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42550
5
reference_url https://github.com/advisories/GHSA-xwqr-rcqg-22mr
reference_id GHSA-xwqr-rcqg-22mr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xwqr-rcqg-22mr
6
reference_url https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr
reference_id GHSA-xwqr-rcqg-22mr
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-14T15:43:39Z/
url https://github.com/flightphp/core/security/advisories/GHSA-xwqr-rcqg-22mr
fixed_packages
0
url pkg:composer/flightphp/core@3.18.1
purl pkg:composer/flightphp/core@3.18.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flightphp/core@3.18.1
aliases CVE-2026-42550, GHSA-xwqr-rcqg-22mr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-659r-qjhf-g7df
1
url VCID-79ht-u2tz-e3hm
vulnerability_id VCID-79ht-u2tz-e3hm
summary Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42551
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01876
published_at 2026-06-11T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.01879
published_at 2026-06-13T12:55:00Z
2
value 0.00012
scoring_system epss
scoring_elements 0.01877
published_at 2026-06-12T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02317
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42551
1
reference_url https://github.com/flightphp/core
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core
2
reference_url https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
3
reference_url https://github.com/flightphp/core/releases/tag/v3.18.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core/releases/tag/v3.18.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42551
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42551
5
reference_url https://github.com/advisories/GHSA-vxrr-w42w-w76g
reference_id GHSA-vxrr-w42w-w76g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxrr-w42w-w76g
6
reference_url https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g
reference_id GHSA-vxrr-w42w-w76g
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T12:49:44Z/
url https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g
fixed_packages
0
url pkg:composer/flightphp/core@3.18.1
purl pkg:composer/flightphp/core@3.18.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flightphp/core@3.18.1
aliases CVE-2026-42551, GHSA-vxrr-w42w-w76g
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-79ht-u2tz-e3hm
2
url VCID-adbg-fyh8-dyde
vulnerability_id VCID-adbg-fyh8-dyde
summary Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed — including directories located outside the project root through ../ traversal. This vulnerability is fixed in 3.18.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42549
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.0119
published_at 2026-06-14T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.00898
published_at 2026-06-11T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00901
published_at 2026-06-13T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.00894
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42549
1
reference_url https://github.com/flightphp/core
reference_id
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42549
reference_id
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42549
3
reference_url https://github.com/advisories/GHSA-3xjv-pmf2-gf2q
reference_id GHSA-3xjv-pmf2-gf2q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3xjv-pmf2-gf2q
4
reference_url https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q
reference_id GHSA-3xjv-pmf2-gf2q
reference_type
scores
0
value 4.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T19:05:05Z/
url https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q
fixed_packages
0
url pkg:composer/flightphp/core@3.18.1
purl pkg:composer/flightphp/core@3.18.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flightphp/core@3.18.1
aliases CVE-2026-42549, GHSA-3xjv-pmf2-gf2q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-adbg-fyh8-dyde
3
url VCID-sjyh-3jvf-bkfp
vulnerability_id VCID-sjyh-3jvf-bkfp
summary Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site scripting. This vulnerability is fixed in 3.18.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42548
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05768
published_at 2026-06-12T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05743
published_at 2026-06-11T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05758
published_at 2026-06-13T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.06304
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42548
1
reference_url https://github.com/flightphp/core
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42548
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42548
3
reference_url https://github.com/advisories/GHSA-fcx8-ph5r-mxr4
reference_id GHSA-fcx8-ph5r-mxr4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fcx8-ph5r-mxr4
4
reference_url https://github.com/flightphp/core/security/advisories/GHSA-fcx8-ph5r-mxr4
reference_id GHSA-fcx8-ph5r-mxr4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-14T12:32:10Z/
url https://github.com/flightphp/core/security/advisories/GHSA-fcx8-ph5r-mxr4
fixed_packages
0
url pkg:composer/flightphp/core@3.18.1
purl pkg:composer/flightphp/core@3.18.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flightphp/core@3.18.1
aliases CVE-2026-42548, GHSA-fcx8-ph5r-mxr4
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sjyh-3jvf-bkfp
4
url VCID-thk9-hptw-9ya4
vulnerability_id VCID-thk9-hptw-9ya4
summary Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42552
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.0291
published_at 2026-06-13T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.02914
published_at 2026-06-11T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.02924
published_at 2026-06-12T12:55:00Z
3
value 0.00016
scoring_system epss
scoring_elements 0.03734
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42552
1
reference_url https://github.com/flightphp/core
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core
2
reference_url https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
3
reference_url https://github.com/flightphp/core/releases/tag/v3.18.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/flightphp/core/releases/tag/v3.18.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42552
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42552
5
reference_url https://github.com/advisories/GHSA-qrch-52m5-vv85
reference_id GHSA-qrch-52m5-vv85
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qrch-52m5-vv85
6
reference_url https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85
reference_id GHSA-qrch-52m5-vv85
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-15T18:48:38Z/
url https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85
fixed_packages
0
url pkg:composer/flightphp/core@3.18.1
purl pkg:composer/flightphp/core@3.18.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/flightphp/core@3.18.1
aliases CVE-2026-42552, GHSA-qrch-52m5-vv85
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-thk9-hptw-9ya4
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/flightphp/core@3.10.0