{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","type":"deb","namespace":"debian","name":"vips","version":"8.10.5-2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.10.5-2+deb11u1","latest_non_vulnerable_version":"8.18.2-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85630?format=json","vulnerability_id":"VCID-8946-28v3-6yh7","summary":"A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_area results in integer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. It is advisable to implement a patch to correct this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3284","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02322","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3284"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3284","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3284"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310","reference_id":"1129310","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310"},{"reference_url":"https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70","reference_id":"24795bb3d19d84f7b6f5ed86451ad556c8f2fe70","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70"},{"reference_url":"https://github.com/libvips/libvips/issues/4879","reference_id":"4879","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://github.com/libvips/libvips/issues/4879"},{"reference_url":"https://github.com/libvips/libvips/issues/4879#issue-3944211794","reference_id":"4879#issue-3944211794","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://github.com/libvips/libvips/issues/4879#issue-3944211794"},{"reference_url":"https://github.com/libvips/libvips/pull/4887","reference_id":"4887","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://github.com/libvips/libvips/pull/4887"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.348013","reference_id":"?ctiid.348013","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://vuldb.com/?ctiid.348013"},{"reference_url":"https://vuldb.com/?id.348013","reference_id":"?id.348013","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://vuldb.com/?id.348013"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.758864","reference_id":"?submit.758864","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:35Z/"}],"url":"https://vuldb.com/?submit.758864"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3284"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8946-28v3-6yh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/27679?format=json","vulnerability_id":"VCID-cz3w-5229-yqbb","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2913.json","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2913.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-2913","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07927","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-2913"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2913","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2913"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128785","reference_id":"1128785","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128785"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441715","reference_id":"2441715","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441715"},{"reference_url":"https://github.com/libvips/libvips/issues/4857","reference_id":"4857","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://github.com/libvips/libvips/issues/4857"},{"reference_url":"https://github.com/libvips/libvips/issues/4857#issue-3920154326","reference_id":"4857#issue-3920154326","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://github.com/libvips/libvips/issues/4857#issue-3920154326"},{"reference_url":"https://github.com/libvips/libvips/issues/4857#issuecomment-3878479322","reference_id":"4857#issuecomment-3878479322","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://github.com/libvips/libvips/issues/4857#issuecomment-3878479322"},{"reference_url":"https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee","reference_id":"a56feecbe9ed66521d9647ec9fbcd2546eccd7ee","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.347222","reference_id":"?ctiid.347222","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://vuldb.com/?ctiid.347222"},{"reference_url":"https://vuldb.com/?id.347222","reference_id":"?id.347222","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://vuldb.com/?id.347222"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.755224","reference_id":"?submit.755224","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"},{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-23T19:14:08Z/"}],"url":"https://vuldb.com/?submit.755224"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106753?format=json","purl":"pkg:deb/debian/vips@8.18.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-2913"],"risk_score":1.1,"exploitability":"0.5","weighted_severity":"2.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cz3w-5229-yqbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85520?format=json","vulnerability_id":"VCID-d5bp-3xp3-uygr","summary":"A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3283","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01287","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3283"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3283","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3283"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310","reference_id":"1129310","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310"},{"reference_url":"https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70","reference_id":"24795bb3d19d84f7b6f5ed86451ad556c8f2fe70","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70"},{"reference_url":"https://github.com/libvips/libvips/issues/4880","reference_id":"4880","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/issues/4880"},{"reference_url":"https://github.com/libvips/libvips/issues/4880#issue-3944214985","reference_id":"4880#issue-3944214985","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/issues/4880#issue-3944214985"},{"reference_url":"https://github.com/libvips/libvips/pull/4887","reference_id":"4887","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/pull/4887"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.348012","reference_id":"?ctiid.348012","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://vuldb.com/?ctiid.348012"},{"reference_url":"https://vuldb.com/?id.348012","reference_id":"?id.348012","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://vuldb.com/?id.348012"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.758863","reference_id":"?submit.758863","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:49:06Z/"}],"url":"https://vuldb.com/?submit.758863"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3283"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5bp-3xp3-uygr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211500?format=json","vulnerability_id":"VCID-dfdn-svbh-5uhx","summary":"A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3147","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07878","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3147"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129314","reference_id":"1129314","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129314"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3147"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dfdn-svbh-5uhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211497?format=json","vulnerability_id":"VCID-jy3m-nthz-g3e6","summary":"A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patch is called d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should be applied to remediate this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3145","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0563","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3145","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3145"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129315","reference_id":"1129315","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129315"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3145"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jy3m-nthz-g3e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85432?format=json","vulnerability_id":"VCID-quau-v1s5-b3a4","summary":"A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a manipulation of the argument index results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit is now public and may be used. The patch is named fd28c5463697712cb0ab116a2c55e4f4d92c4088. It is suggested to install a patch to address this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3281","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02915","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3281"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3281","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3281"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129312","reference_id":"1129312","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129312"},{"reference_url":"https://github.com/libvips/libvips/issues/4878","reference_id":"4878","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://github.com/libvips/libvips/issues/4878"},{"reference_url":"https://github.com/libvips/libvips/issues/4878#issue-3944209102","reference_id":"4878#issue-3944209102","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://github.com/libvips/libvips/issues/4878#issue-3944209102"},{"reference_url":"https://github.com/libvips/libvips/pull/4895","reference_id":"4895","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://github.com/libvips/libvips/pull/4895"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.348010","reference_id":"?ctiid.348010","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://vuldb.com/?ctiid.348010"},{"reference_url":"https://github.com/libvips/libvips/commit/fd28c5463697712cb0ab116a2c55e4f4d92c4088","reference_id":"fd28c5463697712cb0ab116a2c55e4f4d92c4088","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://github.com/libvips/libvips/commit/fd28c5463697712cb0ab116a2c55e4f4d92c4088"},{"reference_url":"https://vuldb.com/?id.348010","reference_id":"?id.348010","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://vuldb.com/?id.348010"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.758861","reference_id":"?submit.758861","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"},{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:56:04Z/"}],"url":"https://vuldb.com/?submit.758861"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3281"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-quau-v1s5-b3a4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85386?format=json","vulnerability_id":"VCID-um8m-4ww1-tke3","summary":"A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3146","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04077","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3146"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129315","reference_id":"1129315","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129315"},{"reference_url":"https://github.com/libvips/libvips/issues/4875","reference_id":"4875","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://github.com/libvips/libvips/issues/4875"},{"reference_url":"https://github.com/libvips/libvips/pull/4888","reference_id":"4888","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://github.com/libvips/libvips/pull/4888"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.347652","reference_id":"?ctiid.347652","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://vuldb.com/?ctiid.347652"},{"reference_url":"https://github.com/libvips/libvips/commit/d4ce337c76bff1b278d7085c3c4f4725e3aa6ece","reference_id":"d4ce337c76bff1b278d7085c3c4f4725e3aa6ece","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://github.com/libvips/libvips/commit/d4ce337c76bff1b278d7085c3c4f4725e3aa6ece"},{"reference_url":"https://vuldb.com/?id.347652","reference_id":"?id.347652","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://vuldb.com/?id.347652"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.758691","reference_id":"?submit.758691","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T15:52:26Z/"}],"url":"https://vuldb.com/?submit.758691"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3146"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-um8m-4ww1-tke3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100949?format=json","vulnerability_id":"VCID-w1c6-b16t-ufcv","summary":"libvips is a demand-driven, horizontally threaded image processing library. For versions 8.17.1 and below, when libvips is compiled with support for PDF input via poppler, the pdfload operation is affected by a buffer read overflow when parsing the header of a crafted PDF with a page that defines a width but not a height. Those using libvips compiled without support for PDF input are unaffected as well as thosewith support for PDF input via PDFium. This issue is fixed in version 8.17.2. A workaround for those affected is to block the VipsForeignLoadPdf operation via vips_operation_block_set, which is available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will block all untrusted loaders including PDF input via poppler.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59933","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08075","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59933"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59933","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59933"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117049","reference_id":"1117049","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117049"},{"reference_url":"https://github.com/libvips/libvips/commit/a58bfae9223a5466cc81ba9fe6dfb08233cf17d1","reference_id":"a58bfae9223a5466cc81ba9fe6dfb08233cf17d1","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-30T13:32:22Z/"}],"url":"https://github.com/libvips/libvips/commit/a58bfae9223a5466cc81ba9fe6dfb08233cf17d1"},{"reference_url":"https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4","reference_id":"GHSA-q8px-4w5q-c2r4","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-30T13:32:22Z/"}],"url":"https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4"},{"reference_url":"https://github.com/libvips/libvips/releases/tag/v8.17.2","reference_id":"v8.17.2","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-30T13:32:22Z/"}],"url":"https://github.com/libvips/libvips/releases/tag/v8.17.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106752?format=json","purl":"pkg:deb/debian/vips@8.17.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.17.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-59933"],"risk_score":2.3,"exploitability":"0.5","weighted_severity":"4.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w1c6-b16t-ufcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85746?format=json","vulnerability_id":"VCID-zcms-g4vq-4bgs","summary":"A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3282","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01287","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3282"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3282","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3282"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129311","reference_id":"1129311","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129311"},{"reference_url":"https://github.com/libvips/libvips/issues/4881","reference_id":"4881","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://github.com/libvips/libvips/issues/4881"},{"reference_url":"https://github.com/libvips/libvips/issues/4881#issue-3944216443","reference_id":"4881#issue-3944216443","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://github.com/libvips/libvips/issues/4881#issue-3944216443"},{"reference_url":"https://github.com/libvips/libvips/pull/4886","reference_id":"4886","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://github.com/libvips/libvips/pull/4886"},{"reference_url":"https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91","reference_id":"7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libvips:libvips:*:*:*:*:*:*:*:*"},{"reference_url":"https://vuldb.com/?ctiid.348011","reference_id":"?ctiid.348011","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://vuldb.com/?ctiid.348011"},{"reference_url":"https://vuldb.com/?id.348011","reference_id":"?id.348011","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://vuldb.com/?id.348011"},{"reference_url":"https://github.com/libvips/libvips/","reference_id":"libvips","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://github.com/libvips/libvips/"},{"reference_url":"https://vuldb.com/?submit.758862","reference_id":"?submit.758862","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C"},{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T18:55:37Z/"}],"url":"https://vuldb.com/?submit.758862"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106754?format=json","purl":"pkg:deb/debian/vips@8.18.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2026-3282"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zcms-g4vq-4bgs"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/178214?format=json","vulnerability_id":"VCID-2jzg-p9jc-3kgf","summary":"A vulnerability in VIPS could result in privilege escalation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3364","reference_id":"","reference_type":"","scores":[{"value":"0.00143","scoring_system":"epss","scoring_elements":"0.3442","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3364"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598296","reference_id":"598296","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598296"},{"reference_url":"https://security.gentoo.org/glsa/201401-29","reference_id":"GLSA-201401-29","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201401-29"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106738?format=json","purl":"pkg:deb/debian/vips@7.14.5-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@7.14.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2010-3364"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2jzg-p9jc-3kgf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/108530?format=json","vulnerability_id":"VCID-3vx1-357j-6qh3","summary":"libvips is a demand-driven, horizontally threaded image processing library.  The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as \"multiband\". There aren't many ways to create a \"multiband\" input, but it is possible with a well-crafted TIFF image. If a \"multiband\" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-29769","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12999","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-29769"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29769","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29769"},{"reference_url":"https://issues.oss-fuzz.com/issues/396460413","reference_id":"396460413","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-08T14:20:52Z/"}],"url":"https://issues.oss-fuzz.com/issues/396460413"},{"reference_url":"https://github.com/libvips/libvips/pull/4392","reference_id":"4392","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-08T14:20:52Z/"}],"url":"https://github.com/libvips/libvips/pull/4392"},{"reference_url":"https://github.com/libvips/libvips/pull/4394","reference_id":"4394","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-08T14:20:52Z/"}],"url":"https://github.com/libvips/libvips/pull/4394"},{"reference_url":"https://github.com/libvips/libvips/commit/9ab6784f693de50b00fa535b9efbbe9d2cbf71f2","reference_id":"9ab6784f693de50b00fa535b9efbbe9d2cbf71f2","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-08T14:20:52Z/"}],"url":"https://github.com/libvips/libvips/commit/9ab6784f693de50b00fa535b9efbbe9d2cbf71f2"},{"reference_url":"https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm","reference_id":"GHSA-f8r8-43hh-rghm","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-08T14:20:52Z/"}],"url":"https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106750?format=json","purl":"pkg:deb/debian/vips@8.10.5-2%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106749?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106751?format=json","purl":"pkg:deb/debian/vips@8.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-29769"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3vx1-357j-6qh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208363?format=json","vulnerability_id":"VCID-4cq4-34f5-5bfy","summary":"Division-By-Zero vulnerability in Libvips 8.10.5 in the function vips_eye_point, eye.c#L83, and function vips_mask_point, mask.c#L85.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27847","reference_id":"","reference_type":"","scores":[{"value":"0.00097","scoring_system":"epss","scoring_elements":"0.26692","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27847"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27847","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27847"},{"reference_url":"https://usn.ubuntu.com/6437-1/","reference_id":"USN-6437-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6437-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106746?format=json","purl":"pkg:deb/debian/vips@8.8.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.8.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2021-27847"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4cq4-34f5-5bfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207844?format=json","vulnerability_id":"VCID-8qrt-xzsd-yfgm","summary":"im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-20739","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42093","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-20739"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20739","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20739"},{"reference_url":"https://usn.ubuntu.com/6437-1/","reference_id":"USN-6437-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6437-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106745?format=json","purl":"pkg:deb/debian/vips@8.9.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.9.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2020-20739"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8qrt-xzsd-yfgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/219239?format=json","vulnerability_id":"VCID-h2cq-8gw3-4qbr","summary":"libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40032","reference_id":"","reference_type":"","scores":[{"value":"0.00133","scoring_system":"epss","scoring_elements":"0.32472","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40032"},{"reference_url":"https://usn.ubuntu.com/6437-1/","reference_id":"USN-6437-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6437-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106743?format=json","purl":"pkg:deb/debian/vips@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106747?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106748?format=json","purl":"pkg:deb/debian/vips@8.14.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2023-40032"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h2cq-8gw3-4qbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/206502?format=json","vulnerability_id":"VCID-hmfh-fj7j-u7gz","summary":"In libvips before 8.6.3, a NULL function pointer dereference vulnerability was found in the vips_region_generate function in region.c, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image file. This occurs because of a race condition involving a failed delayed load and other worker threads.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7998","reference_id":"","reference_type":"","scores":[{"value":"0.00346","scoring_system":"epss","scoring_elements":"0.57528","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7998"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7998","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7998"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892589","reference_id":"892589","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892589"},{"reference_url":"https://usn.ubuntu.com/6437-1/","reference_id":"USN-6437-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6437-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106742?format=json","purl":"pkg:deb/debian/vips@8.4.5-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.4.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2018-7998"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hmfh-fj7j-u7gz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/219238?format=json","vulnerability_id":"VCID-nhw4-ugdt-8qf9","summary":"vips_foreign_load_gif_scan_image in foreign/gifload.c in libvips before 8.8.2 tries to access a color map before a DGifGetImageDesc call, leading to a use-after-free.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-17534","reference_id":"","reference_type":"","scores":[{"value":"0.00831","scoring_system":"epss","scoring_elements":"0.75003","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-17534"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106743?format=json","purl":"pkg:deb/debian/vips@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2019-17534"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhw4-ugdt-8qf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207369?format=json","vulnerability_id":"VCID-qpjv-4561-ebb8","summary":"libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result in leaking raw process memory contents through the output image.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6976","reference_id":"","reference_type":"","scores":[{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50512","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6976"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6976","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6976"},{"reference_url":"https://usn.ubuntu.com/6437-1/","reference_id":"USN-6437-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6437-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/106744?format=json","purl":"pkg:deb/debian/vips@8.7.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.7.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106739?format=json","purl":"pkg:deb/debian/vips@8.10.5-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8946-28v3-6yh7"},{"vulnerability":"VCID-cz3w-5229-yqbb"},{"vulnerability":"VCID-d5bp-3xp3-uygr"},{"vulnerability":"VCID-dfdn-svbh-5uhx"},{"vulnerability":"VCID-jy3m-nthz-g3e6"},{"vulnerability":"VCID-quau-v1s5-b3a4"},{"vulnerability":"VCID-um8m-4ww1-tke3"},{"vulnerability":"VCID-w1c6-b16t-ufcv"},{"vulnerability":"VCID-zcms-g4vq-4bgs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106737?format=json","purl":"pkg:deb/debian/vips@8.14.1-3%2Bdeb12u3?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.14.1-3%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106741?format=json","purl":"pkg:deb/debian/vips@8.16.1-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1c6-b16t-ufcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.16.1-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/106740?format=json","purl":"pkg:deb/debian/vips@8.18.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.18.2-1%3Fdistro=trixie"}],"aliases":["CVE-2019-6976"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qpjv-4561-ebb8"}],"risk_score":"2.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/vips@8.10.5-2%3Fdistro=trixie"}