{"url":"http://public2.vulnerablecode.io/api/packages/11873?format=json","purl":"pkg:pypi/matrix-synapse@0.33.7","type":"pypi","namespace":"","name":"matrix-synapse","version":"0.33.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.106.0","latest_non_vulnerable_version":"1.152.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8075?format=json","vulnerability_id":"VCID-1cxk-wn3b-jycq","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21392","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41975","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21392"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9240","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9240"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21392","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21392"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://pypi.org/project/matrix-synapse/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/matrix-synapse/"},{"reference_url":"https://github.com/advisories/GHSA-5wrh-4jwv-5w78","reference_id":"GHSA-5wrh-4jwv-5w78","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5wrh-4jwv-5w78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20259?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/20260?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0"}],"aliases":["CVE-2021-21392","GHSA-5wrh-4jwv-5w78","PYSEC-2021-25"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1cxk-wn3b-jycq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8418?format=json","vulnerability_id":"VCID-3stp-shy4-dudr","summary":"Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31052","reference_id":"","reference_type":"","scores":[{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59458","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31052"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/"}],"url":"https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/"}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/"},{"reference_url":"https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/"}],"url":"https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/","reference_id":"7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31052","reference_id":"CVE-2022-31052","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31052"},{"reference_url":"https://github.com/advisories/GHSA-22p3-qrh9-cx32","reference_id":"GHSA-22p3-qrh9-cx32","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-22p3-qrh9-cx32"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/","reference_id":"QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26988?format=json","purl":"pkg:pypi/matrix-synapse@1.61.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.61.1"}],"aliases":["CVE-2022-31052","GHSA-22p3-qrh9-cx32","PYSEC-2022-224"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3stp-shy4-dudr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5211?format=json","vulnerability_id":"VCID-3tbz-jcb2-4fdn","summary":"directory traversal","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41281","reference_id":"","reference_type":"","scores":[{"value":"0.00545","scoring_system":"epss","scoring_elements":"0.68092","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41281"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/91f2bd090","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/91f2bd090"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.47.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.47.1"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451","reference_id":"1000451","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451"},{"reference_url":"https://security.archlinux.org/AVG-2581","reference_id":"AVG-2581","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2581"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41281","reference_id":"CVE-2021-41281","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41281"},{"reference_url":"https://github.com/advisories/GHSA-3hfw-x7gx-437c","reference_id":"GHSA-3hfw-x7gx-437c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hfw-x7gx-437c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23842?format=json","purl":"pkg:pypi/matrix-synapse@1.47.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.47.1"}],"aliases":["CVE-2021-41281","GHSA-3hfw-x7gx-437c","PYSEC-2021-436"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3tbz-jcb2-4fdn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5376?format=json","vulnerability_id":"VCID-43wz-3reu-s3ep","summary":"information disclosure","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39163","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41926","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39163"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/cb35df940a","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/cb35df940a"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/"},{"reference_url":"https://security.archlinux.org/AVG-2334","reference_id":"AVG-2334","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2334"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39163","reference_id":"CVE-2021-39163","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39163"},{"reference_url":"https://github.com/advisories/GHSA-jj53-8fmw-f2w2","reference_id":"GHSA-jj53-8fmw-f2w2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jj53-8fmw-f2w2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22274?format=json","purl":"pkg:pypi/matrix-synapse@1.41.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1"}],"aliases":["CVE-2021-39163","GHSA-jj53-8fmw-f2w2","PYSEC-2021-424"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-43wz-3reu-s3ep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8066?format=json","vulnerability_id":"VCID-5b91-nm22-5uh4","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21333","reference_id":"","reference_type":"","scores":[{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.59988","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21333"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9200","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9200"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21333","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21333"},{"reference_url":"https://github.com/advisories/GHSA-c5f8-35qr-q4fm","reference_id":"GHSA-c5f8-35qr-q4fm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c5f8-35qr-q4fm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19233?format=json","purl":"pkg:pypi/matrix-synapse@1.27.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0"}],"aliases":["CVE-2021-21333","GHSA-c5f8-35qr-q4fm","PYSEC-2021-134"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5b91-nm22-5uh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7709?format=json","vulnerability_id":"VCID-5d98-hf1n-17aq","summary":"An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11842","reference_id":"","reference_type":"","scores":[{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.6143","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11842"},{"reference_url":"https://github.com/advisories/GHSA-gwf7-vfjf-wf6x","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gwf7-vfjf-wf6x"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-185.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-185.yaml"},{"reference_url":"https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a"},{"reference_url":"https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11842","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11842"},{"reference_url":"https://usn.ubuntu.com/6076-1/","reference_id":"USN-6076-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6076-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/12236?format=json","purl":"pkg:pypi/matrix-synapse@0.99.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-cff6-n5gz-jfhe"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-ng8b-cs3a-cqa7"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-sh81-25ty-4bgn"},{"vulnerability":"VCID-sqmn-ffjr-s7bc"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-vb2z-kkev-aues"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zdxd-83uy-hbad"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.99.3.1"}],"aliases":["CVE-2019-11842","GHSA-gwf7-vfjf-wf6x","PYSEC-2019-185"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5d98-hf1n-17aq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8903?format=json","vulnerability_id":"VCID-5fgp-pcfw-33gk","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45129","reference_id":"","reference_type":"","scores":[{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50246","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45129"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa"},{"reference_url":"https://github.com/matrix-org/synapse/pull/16360","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/16360"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3"},{"reference_url":"https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version"},{"reference_url":"https://security.gentoo.org/glsa/202401-12","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202401-12"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2243128","reference_id":"2243128","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2243128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45129","reference_id":"CVE-2023-45129","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45129"},{"reference_url":"https://github.com/advisories/GHSA-5chr-wjw5-3gq4","reference_id":"GHSA-5chr-wjw5-3gq4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5chr-wjw5-3gq4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35214?format=json","purl":"pkg:pypi/matrix-synapse@1.94.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.94.0"}],"aliases":["CVE-2023-45129","GHSA-5chr-wjw5-3gq4","PYSEC-2023-199"],"risk_score":2.2,"exploitability":"0.5","weighted_severity":"4.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fgp-pcfw-33gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8788?format=json","vulnerability_id":"VCID-66cm-6sgb-bqft","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39335","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35159","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39335"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/issues/13288","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/"}],"url":"https://github.com/matrix-org/synapse/issues/13288"},{"reference_url":"https://github.com/matrix-org/synapse/pull/13823","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/"}],"url":"https://github.com/matrix-org/synapse/pull/13823"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/"}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39335","reference_id":"CVE-2022-39335","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39335"},{"reference_url":"https://github.com/advisories/GHSA-45cj-f97f-ggwv","reference_id":"GHSA-45cj-f97f-ggwv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-45cj-f97f-ggwv"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS/","reference_id":"T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS/"},{"reference_url":"https://usn.ubuntu.com/7444-1/","reference_id":"USN-7444-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7444-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32721?format=json","purl":"pkg:pypi/matrix-synapse@1.69.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-x5jc-ezaq-xudd"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.69.0"}],"aliases":["CVE-2022-39335","GHSA-45cj-f97f-ggwv","PYSEC-2023-65"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-66cm-6sgb-bqft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5375?format=json","vulnerability_id":"VCID-arh5-tp1n-nubq","summary":"information disclosure","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39164","reference_id":"","reference_type":"","scores":[{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50746","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39164"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/cb35df940a","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/cb35df940a"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/"},{"reference_url":"https://security.archlinux.org/AVG-2334","reference_id":"AVG-2334","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2334"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39164","reference_id":"CVE-2021-39164","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39164"},{"reference_url":"https://github.com/advisories/GHSA-3x4c-pq33-4w3q","reference_id":"GHSA-3x4c-pq33-4w3q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x4c-pq33-4w3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22274?format=json","purl":"pkg:pypi/matrix-synapse@1.41.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1"}],"aliases":["CVE-2021-39164","GHSA-3x4c-pq33-4w3q","PYSEC-2021-425"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-arh5-tp1n-nubq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4420?format=json","vulnerability_id":"VCID-ary1-cnnt-duhg","summary":"private key recovery","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5885","reference_id":"","reference_type":"","scores":[{"value":"0.00773","scoring_system":"epss","scoring_elements":"0.73885","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5885"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/blob/67f9e5293ea6650b2ec284c0b7503f3f3eade94b/docs/changelogs/CHANGES-pre-1.0.md?plain=1#L460","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/blob/67f9e5293ea6650b2ec284c0b7503f3f3eade94b/docs/changelogs/CHANGES-pre-1.0.md?plain=1#L460"},{"reference_url":"https://github.com/matrix-org/synapse/issues/4664","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/issues/4664"},{"reference_url":"https://github.com/matrix-org/synapse/pull/4315","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/4315"},{"reference_url":"https://github.com/matrix-org/synapse/pull/4373","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/4373"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-187.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-187.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K/"},{"reference_url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1"},{"reference_url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/"},{"reference_url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885"},{"reference_url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/"},{"reference_url":"https://security.archlinux.org/ASA-201901-12","reference_id":"ASA-201901-12","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201901-12"},{"reference_url":"https://security.archlinux.org/AVG-846","reference_id":"AVG-846","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-846"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5885","reference_id":"CVE-2019-5885","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5885"},{"reference_url":"https://github.com/advisories/GHSA-jrqm-v8cv-53ww","reference_id":"GHSA-jrqm-v8cv-53ww","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jrqm-v8cv-53ww"},{"reference_url":"https://usn.ubuntu.com/6076-1/","reference_id":"USN-6076-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6076-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/11880?format=json","purl":"pkg:pypi/matrix-synapse@0.34.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5d98-hf1n-17aq"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-cff6-n5gz-jfhe"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-ng8b-cs3a-cqa7"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-sh81-25ty-4bgn"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-vb2z-kkev-aues"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zdxd-83uy-hbad"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.34.0.1"}],"aliases":["CVE-2019-5885","GHSA-jrqm-v8cv-53ww","PYSEC-2019-187"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ary1-cnnt-duhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5933?format=json","vulnerability_id":"VCID-cff6-n5gz-jfhe","summary":"denial of service","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26257","reference_id":"","reference_type":"","scores":[{"value":"0.0045","scoring_system":"epss","scoring_elements":"0.63934","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26257"},{"reference_url":"https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09"},{"reference_url":"https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b"},{"reference_url":"https://github.com/matrix-org/synapse/pull/8776","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/8776"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26257","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26257"},{"reference_url":"https://security.archlinux.org/AVG-1341","reference_id":"AVG-1341","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1341"},{"reference_url":"https://github.com/advisories/GHSA-hxmp-pqch-c8mm","reference_id":"GHSA-hxmp-pqch-c8mm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hxmp-pqch-c8mm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18071?format=json","purl":"pkg:pypi/matrix-synapse@1.23.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-sqmn-ffjr-s7bc"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-vb2z-kkev-aues"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.23.1"}],"aliases":["CVE-2020-26257","GHSA-hxmp-pqch-c8mm","PYSEC-2020-236"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cff6-n5gz-jfhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8067?format=json","vulnerability_id":"VCID-fmqv-a8qr-gqfz","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21332","reference_id":"","reference_type":"","scores":[{"value":"0.00505","scoring_system":"epss","scoring_elements":"0.66505","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21332"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9200","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9200"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21332","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21332"},{"reference_url":"https://github.com/advisories/GHSA-246w-56m2-5899","reference_id":"GHSA-246w-56m2-5899","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-246w-56m2-5899"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19233?format=json","purl":"pkg:pypi/matrix-synapse@1.27.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0"}],"aliases":["CVE-2021-21332","GHSA-246w-56m2-5899","PYSEC-2021-133"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fmqv-a8qr-gqfz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9283?format=json","vulnerability_id":"VCID-g7rm-55dm-tybk","summary":"Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37302","reference_id":"","reference_type":"","scores":[{"value":"0.00568","scoring_system":"epss","scoring_elements":"0.68844","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37302"},{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:55:21Z/"}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37302","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37302"},{"reference_url":"https://github.com/advisories/GHSA-4mhg-xv73-xq2x","reference_id":"GHSA-4mhg-xv73-xq2x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4mhg-xv73-xq2x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/187298?format=json","purl":"pkg:pypi/matrix-synapse@1.106","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106"},{"url":"http://public2.vulnerablecode.io/api/packages/43088?format=json","purl":"pkg:pypi/matrix-synapse@1.106.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0"}],"aliases":["CVE-2024-37302","GHSA-4mhg-xv73-xq2x","PYSEC-2024-286"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g7rm-55dm-tybk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5617?format=json","vulnerability_id":"VCID-jg9y-53m4-5bb6","summary":"denial of service","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29471","reference_id":"","reference_type":"","scores":[{"value":"0.00337","scoring_system":"epss","scoring_elements":"0.56765","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29471"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.33.2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.33.2"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29471","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29471"},{"reference_url":"https://security.archlinux.org/ASA-202105-19","reference_id":"ASA-202105-19","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202105-19"},{"reference_url":"https://security.archlinux.org/AVG-1943","reference_id":"AVG-1943","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1943"},{"reference_url":"https://github.com/advisories/GHSA-x345-32rc-8h85","reference_id":"GHSA-x345-32rc-8h85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x345-32rc-8h85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20651?format=json","purl":"pkg:pypi/matrix-synapse@1.33.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.33.2"}],"aliases":["CVE-2021-29471","GHSA-x345-32rc-8h85","PYSEC-2021-135"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jg9y-53m4-5bb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8074?format=json","vulnerability_id":"VCID-k689-rvyd-e3hp","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21394","reference_id":"","reference_type":"","scores":[{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67078","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21394"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9321","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9321"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9393","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9393"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21394","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21394"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://pypi.org/project/matrix-synapse/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/matrix-synapse/"},{"reference_url":"https://github.com/advisories/GHSA-w9fg-xffh-p362","reference_id":"GHSA-w9fg-xffh-p362","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w9fg-xffh-p362"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20260?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0"}],"aliases":["CVE-2021-21394","GHSA-w9fg-xffh-p362","PYSEC-2021-27"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k689-rvyd-e3hp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8466?format=json","vulnerability_id":"VCID-mmge-uj6j-k3c2","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31152","reference_id":"","reference_type":"","scores":[{"value":"0.00731","scoring_system":"epss","scoring_elements":"0.73006","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31152"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b"},{"reference_url":"https://github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0"},{"reference_url":"https://github.com/matrix-org/synapse/pull/13087","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/"}],"url":"https://github.com/matrix-org/synapse/pull/13087"},{"reference_url":"https://github.com/matrix-org/synapse/pull/13088","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/"}],"url":"https://github.com/matrix-org/synapse/pull/13088"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.62.0","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/"}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.62.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/"}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31152","reference_id":"CVE-2022-31152","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31152"},{"reference_url":"https://github.com/advisories/GHSA-jhjh-776m-4765","reference_id":"GHSA-jhjh-776m-4765","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jhjh-776m-4765"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27894?format=json","purl":"pkg:pypi/matrix-synapse@1.62.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/27897?format=json","purl":"pkg:pypi/matrix-synapse@1.62.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1z78-c7my-5fbp"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0"}],"aliases":["CVE-2022-31152","GHSA-jhjh-776m-4765","PYSEC-2022-262"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mmge-uj6j-k3c2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7775?format=json","vulnerability_id":"VCID-ng8b-cs3a-cqa7","summary":"Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18835","reference_id":"","reference_type":"","scores":[{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40835","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18835"},{"reference_url":"https://github.com/advisories/GHSA-cppw-2mf8-qpm5","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cppw-2mf8-qpm5"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b"},{"reference_url":"https://github.com/matrix-org/synapse/pull/6262","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/6262"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.5.0","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.5.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944355","reference_id":"944355","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944355"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18835","reference_id":"CVE-2019-18835","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18835"},{"reference_url":"https://usn.ubuntu.com/6076-1/","reference_id":"USN-6076-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6076-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13280?format=json","purl":"pkg:pypi/matrix-synapse@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-cff6-n5gz-jfhe"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-sh81-25ty-4bgn"},{"vulnerability":"VCID-sqmn-ffjr-s7bc"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-vb2z-kkev-aues"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zdxd-83uy-hbad"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.5.0"}],"aliases":["CVE-2019-18835","GHSA-cppw-2mf8-qpm5","PYSEC-2019-186"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ng8b-cs3a-cqa7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9284?format=json","vulnerability_id":"VCID-nmup-uep4-b7hw","summary":"Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37303","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.57075","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37303"},{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:49:29Z/"}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"},{"reference_url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3916","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:49:29Z/"}],"url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3916"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37303","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37303"},{"reference_url":"https://github.com/advisories/GHSA-gjgr-7834-rhxr","reference_id":"GHSA-gjgr-7834-rhxr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gjgr-7834-rhxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/187298?format=json","purl":"pkg:pypi/matrix-synapse@1.106","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106"},{"url":"http://public2.vulnerablecode.io/api/packages/43088?format=json","purl":"pkg:pypi/matrix-synapse@1.106.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0"}],"aliases":["CVE-2024-37303","GHSA-gjgr-7834-rhxr","PYSEC-2024-287"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmup-uep4-b7hw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8794?format=json","vulnerability_id":"VCID-pg5k-2upe-dudk","summary":"Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32683","reference_id":"","reference_type":"","scores":[{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50467","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32683"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/pull/15601","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:25:39Z/"}],"url":"https://github.com/matrix-org/synapse/pull/15601"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:25:39Z/"}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207","reference_id":"1037207","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32683","reference_id":"CVE-2023-32683","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32683"},{"reference_url":"https://github.com/advisories/GHSA-98px-6486-j7qc","reference_id":"GHSA-98px-6486-j7qc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-98px-6486-j7qc"},{"reference_url":"https://usn.ubuntu.com/7444-1/","reference_id":"USN-7444-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7444-1/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/","reference_id":"X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:25:39Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32835?format=json","purl":"pkg:pypi/matrix-synapse@1.85.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-x5jc-ezaq-xudd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0"}],"aliases":["CVE-2023-32683","GHSA-98px-6486-j7qc","PYSEC-2023-85"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pg5k-2upe-dudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9104?format=json","vulnerability_id":"VCID-ry9q-34p9-auh6","summary":"Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31208","reference_id":"","reference_type":"","scores":[{"value":"0.03089","scoring_system":"epss","scoring_elements":"0.87015","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31208"},{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/"}],"url":"https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"},{"reference_url":"https://github.com/element-hq/synapse/releases/tag/v1.105.1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/"}],"url":"https://github.com/element-hq/synapse/releases/tag/v1.105.1"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/"}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763","reference_id":"1069763","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31208","reference_id":"CVE-2024-31208","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31208"},{"reference_url":"https://github.com/advisories/GHSA-3h7q-rfh9-xm4v","reference_id":"GHSA-3h7q-rfh9-xm4v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3h7q-rfh9-xm4v"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/","reference_id":"R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/","reference_id":"RR53FNHV446CB37TP45GZ6F6HZLZCK3K","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"},{"reference_url":"https://usn.ubuntu.com/7444-1/","reference_id":"USN-7444-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7444-1/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/","reference_id":"VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39820?format=json","purl":"pkg:pypi/matrix-synapse@1.105.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.105.1"}],"aliases":["CVE-2024-31208","GHSA-3h7q-rfh9-xm4v","PYSEC-2024-50"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ry9q-34p9-auh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4027?format=json","vulnerability_id":"VCID-sh81-25ty-4bgn","summary":"cross-site scripting","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26891","reference_id":"","reference_type":"","scores":[{"value":"0.00439","scoring_system":"epss","scoring_elements":"0.63447","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26891"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/pull/8444","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/8444"},{"reference_url":"https://github.com/matrix-org/synapse/releases","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.21.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.21.2"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml"},{"reference_url":"https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory"},{"reference_url":"https://security.archlinux.org/ASA-202011-4","reference_id":"ASA-202011-4","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202011-4"},{"reference_url":"https://security.archlinux.org/AVG-1252","reference_id":"AVG-1252","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1252"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26891","reference_id":"CVE-2020-26891","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26891"},{"reference_url":"https://github.com/advisories/GHSA-3x8c-fmpc-5rmq","reference_id":"GHSA-3x8c-fmpc-5rmq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x8c-fmpc-5rmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/17423?format=json","purl":"pkg:pypi/matrix-synapse@1.21.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-cff6-n5gz-jfhe"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-sqmn-ffjr-s7bc"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-vb2z-kkev-aues"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.21.0"}],"aliases":["CVE-2020-26891","GHSA-3x8c-fmpc-5rmq","PYSEC-2020-238"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sh81-25ty-4bgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8932?format=json","vulnerability_id":"VCID-tug1-g6m1-j3f3","summary":"Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-43796","reference_id":"","reference_type":"","scores":[{"value":"0.00265","scoring_system":"epss","scoring_elements":"0.50135","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-43796"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY"},{"reference_url":"https://security.gentoo.org/glsa/202401-12","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202401-12"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255","reference_id":"1055255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43796","reference_id":"CVE-2023-43796","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43796"},{"reference_url":"https://github.com/advisories/GHSA-mp92-3jfm-3575","reference_id":"GHSA-mp92-3jfm-3575","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mp92-3jfm-3575"},{"reference_url":"https://usn.ubuntu.com/7444-1/","reference_id":"USN-7444-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7444-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36633?format=json","purl":"pkg:pypi/matrix-synapse@1.95.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-ry9q-34p9-auh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.95.1"}],"aliases":["CVE-2023-43796","GHSA-mp92-3jfm-3575","PYSEC-2023-230"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tug1-g6m1-j3f3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8793?format=json","vulnerability_id":"VCID-v54a-sjgy-b7ca","summary":"Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32682","reference_id":"","reference_type":"","scores":[{"value":"0.00975","scoring_system":"epss","scoring_elements":"0.76996","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32682"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/issues/12274","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/issues/12274"},{"reference_url":"https://github.com/matrix-org/synapse/pull/15624","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://github.com/matrix-org/synapse/pull/15624"},{"reference_url":"https://github.com/matrix-org/synapse/pull/15634","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://github.com/matrix-org/synapse/pull/15634"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2"},{"reference_url":"https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account"},{"reference_url":"https://matrix-org.github.io/synapse/latest/jwt.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://matrix-org.github.io/synapse/latest/jwt.html"},{"reference_url":"https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207","reference_id":"1037207","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32682","reference_id":"CVE-2023-32682","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32682"},{"reference_url":"https://github.com/advisories/GHSA-26c5-ppr8-f33p","reference_id":"GHSA-26c5-ppr8-f33p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-26c5-ppr8-f33p"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/","reference_id":"X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32835?format=json","purl":"pkg:pypi/matrix-synapse@1.85.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-x5jc-ezaq-xudd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0"}],"aliases":["CVE-2023-32682","GHSA-26c5-ppr8-f33p","PYSEC-2023-84"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v54a-sjgy-b7ca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8044?format=json","vulnerability_id":"VCID-vb2z-kkev-aues","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21273","reference_id":"","reference_type":"","scores":[{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55523","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21273"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746"},{"reference_url":"https://github.com/matrix-org/synapse/pull/8821","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/8821"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.25.0","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.25.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21273","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21273"},{"reference_url":"https://github.com/advisories/GHSA-v936-j8gp-9q3p","reference_id":"GHSA-v936-j8gp-9q3p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v936-j8gp-9q3p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18960?format=json","purl":"pkg:pypi/matrix-synapse@1.25.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.25.0"}],"aliases":["CVE-2021-21273","GHSA-v936-j8gp-9q3p","PYSEC-2021-131"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vb2z-kkev-aues"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8787?format=json","vulnerability_id":"VCID-z5ga-q6zr-3kb5","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32323","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33116","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32323"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/issues/14492","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/"}],"url":"https://github.com/matrix-org/synapse/issues/14492"},{"reference_url":"https://github.com/matrix-org/synapse/pull/14642","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/"}],"url":"https://github.com/matrix-org/synapse/pull/14642"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/"}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32323","reference_id":"CVE-2023-32323","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32323"},{"reference_url":"https://github.com/advisories/GHSA-f3wc-3vxv-xmvr","reference_id":"GHSA-f3wc-3vxv-xmvr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3wc-3vxv-xmvr"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/","reference_id":"UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32734?format=json","purl":"pkg:pypi/matrix-synapse@1.74.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-9wuf-2wxr-z7a8"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-x5jc-ezaq-xudd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.74.0"}],"aliases":["CVE-2023-32323","GHSA-f3wc-3vxv-xmvr","PYSEC-2023-67"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z5ga-q6zr-3kb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3992?format=json","vulnerability_id":"VCID-zdxd-83uy-hbad","summary":"denial of service","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26890","reference_id":"","reference_type":"","scores":[{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69005","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26890"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26890","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26890"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://security.archlinux.org/ASA-202011-23","reference_id":"ASA-202011-23","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202011-23"},{"reference_url":"https://security.archlinux.org/AVG-1296","reference_id":"AVG-1296","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1296"},{"reference_url":"https://github.com/advisories/GHSA-4mp3-385r-v63f","reference_id":"GHSA-4mp3-385r-v63f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4mp3-385r-v63f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/17418?format=json","purl":"pkg:pypi/matrix-synapse@1.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1cxk-wn3b-jycq"},{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5b91-nm22-5uh4"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-cff6-n5gz-jfhe"},{"vulnerability":"VCID-fmqv-a8qr-gqfz"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-k689-rvyd-e3hp"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-sh81-25ty-4bgn"},{"vulnerability":"VCID-sqmn-ffjr-s7bc"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-vb2z-kkev-aues"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"},{"vulnerability":"VCID-zvev-sm5c-suh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.20.0"}],"aliases":["CVE-2020-26890","GHSA-4mp3-385r-v63f","PYSEC-2020-237"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zdxd-83uy-hbad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8076?format=json","vulnerability_id":"VCID-zvev-sm5c-suh6","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21393","reference_id":"","reference_type":"","scores":[{"value":"0.00548","scoring_system":"epss","scoring_elements":"0.68204","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21393"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128"},{"reference_url":"https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9321","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9321"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9393","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9393"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21393","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21393"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://pypi.org/project/matrix-synapse/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/matrix-synapse/"},{"reference_url":"https://github.com/advisories/GHSA-jrh7-mhhx-6h88","reference_id":"GHSA-jrh7-mhhx-6h88","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrh7-mhhx-6h88"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20260?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3stp-shy4-dudr"},{"vulnerability":"VCID-3tbz-jcb2-4fdn"},{"vulnerability":"VCID-43wz-3reu-s3ep"},{"vulnerability":"VCID-5fgp-pcfw-33gk"},{"vulnerability":"VCID-66cm-6sgb-bqft"},{"vulnerability":"VCID-arh5-tp1n-nubq"},{"vulnerability":"VCID-g7rm-55dm-tybk"},{"vulnerability":"VCID-jg9y-53m4-5bb6"},{"vulnerability":"VCID-mmge-uj6j-k3c2"},{"vulnerability":"VCID-nmup-uep4-b7hw"},{"vulnerability":"VCID-pg5k-2upe-dudk"},{"vulnerability":"VCID-ry9q-34p9-auh6"},{"vulnerability":"VCID-tug1-g6m1-j3f3"},{"vulnerability":"VCID-v54a-sjgy-b7ca"},{"vulnerability":"VCID-z5ga-q6zr-3kb5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0"}],"aliases":["CVE-2021-21393","GHSA-jrh7-mhhx-6h88","PYSEC-2021-26"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zvev-sm5c-suh6"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.33.7"}