{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","type":"deb","namespace":"debian","name":"potrace","version":"1.16-2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98565?format=json","vulnerability_id":"VCID-28qx-9q41-zudk","summary":"The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8698.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7263","reference_id":"","reference_type":"","scores":[{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57698","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.5775","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57758","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57749","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57736","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0035","scoring_system":"epss","scoring_elements":"0.57754","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7263"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7263","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7263"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858763","reference_id":"858763","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858763"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124004?format=json","purl":"pkg:deb/debian/potrace@1.15-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.15-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2017-7263"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-28qx-9q41-zudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98563?format=json","vulnerability_id":"VCID-3zhz-2anf-2uev","summary":"Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image, a different vulnerability than CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, and CVE-2016-8702.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8703","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68642","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.6865","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68627","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68645","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8703"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8703","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8703"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8703"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zhz-2anf-2uev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98558?format=json","vulnerability_id":"VCID-5fc3-37gw-gqfw","summary":"Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image, a different vulnerability than CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, and CVE-2016-8703.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8698","reference_id":"","reference_type":"","scores":[{"value":"0.00653","scoring_system":"epss","scoring_elements":"0.71302","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00653","scoring_system":"epss","scoring_elements":"0.71346","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00653","scoring_system":"epss","scoring_elements":"0.71353","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00653","scoring_system":"epss","scoring_elements":"0.71332","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00653","scoring_system":"epss","scoring_elements":"0.71316","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00653","scoring_system":"epss","scoring_elements":"0.71341","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8698"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8698","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8698"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8698"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fc3-37gw-gqfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98560?format=json","vulnerability_id":"VCID-6b4e-syzd-9ue9","summary":"Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image, a different vulnerability than CVE-2016-8698, CVE-2016-8699, CVE-2016-8701, CVE-2016-8702, and CVE-2016-8703.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8700","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68642","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.6865","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68627","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68645","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8700"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8700","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8700"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8700"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6b4e-syzd-9ue9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98553?format=json","vulnerability_id":"VCID-8dt7-m8f4-zfhb","summary":"The bm_new function in bitmap.h in potrace 1.13 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8686","reference_id":"","reference_type":"","scores":[{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.3923","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39319","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39324","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39296","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39268","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39282","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8686"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8686","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8686"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850595","reference_id":"850595","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850595"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124000?format=json","purl":"pkg:deb/debian/potrace@1.14-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8686"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8dt7-m8f4-zfhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98564?format=json","vulnerability_id":"VCID-8kux-2uyk-y3bm","summary":"Potrace 1.14 has a heap-based buffer over-read in the interpolate_cubic function in mkbitmap.c.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12067","reference_id":"","reference_type":"","scores":[{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55971","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56025","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56031","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56018","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56001","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56022","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12067"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12067","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12067"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870356","reference_id":"870356","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870356"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124004?format=json","purl":"pkg:deb/debian/potrace@1.15-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.15-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2017-12067"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8kux-2uyk-y3bm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98557?format=json","vulnerability_id":"VCID-dkjx-qxxj-4bdh","summary":"The bm_new function in bitmap.h in potrace before 1.13 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted BMP image.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8697","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47475","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47539","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47542","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47525","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47494","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47507","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8697"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8697","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8697"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8697"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dkjx-qxxj-4bdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98551?format=json","vulnerability_id":"VCID-dvd6-e7c7-9qgd","summary":"Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-7437","reference_id":"","reference_type":"","scores":[{"value":"0.00729","scoring_system":"epss","scoring_elements":"0.7303","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00729","scoring_system":"epss","scoring_elements":"0.73067","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00729","scoring_system":"epss","scoring_elements":"0.73073","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00729","scoring_system":"epss","scoring_elements":"0.73055","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00729","scoring_system":"epss","scoring_elements":"0.73043","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00729","scoring_system":"epss","scoring_elements":"0.73068","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-7437"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7437","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7437"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778646","reference_id":"778646","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778646"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/123996?format=json","purl":"pkg:deb/debian/potrace@1.12-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.12-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2013-7437"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dvd6-e7c7-9qgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98559?format=json","vulnerability_id":"VCID-p731-phej-cqbx","summary":"Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image, a different vulnerability than CVE-2016-8698, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, and CVE-2016-8703.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8699","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68642","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.6865","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68627","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68645","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8699"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8699","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8699"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8699"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p731-phej-cqbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98561?format=json","vulnerability_id":"VCID-psvz-bxb4-a3bp","summary":"Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image, a different vulnerability than CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8702, and CVE-2016-8703.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8701","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68642","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.6865","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68627","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68645","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8701"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8701","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8701"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8701"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-psvz-bxb4-a3bp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98554?format=json","vulnerability_id":"VCID-r1ar-ytfg-5fae","summary":"The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted BMP image, a different vulnerability than CVE-2016-8695 and CVE-2016-8696.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8694","reference_id":"","reference_type":"","scores":[{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.5179","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51848","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51857","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51836","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51804","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51823","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8694"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8694","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8694"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8694"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r1ar-ytfg-5fae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98552?format=json","vulnerability_id":"VCID-yjcz-2esj-pkd3","summary":"The findnext function in decompose.c in potrace 1.13 allows remote attackers to cause a denial of service (invalid memory access and crash) via a crafted BMP image.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8685","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23931","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24027","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24011","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23957","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.239","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23905","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8685"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8685","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8685"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843861","reference_id":"843861","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843861"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/123998?format=json","purl":"pkg:deb/debian/potrace@1.13-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8685"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjcz-2esj-pkd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98556?format=json","vulnerability_id":"VCID-yt3r-vsbj-zydh","summary":"The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted BMP image, a different vulnerability than CVE-2016-8694 and CVE-2016-8695.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8696","reference_id":"","reference_type":"","scores":[{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56198","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56253","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.5626","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56247","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56231","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.5625","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8696"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8696","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8696"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8696"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yt3r-vsbj-zydh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98555?format=json","vulnerability_id":"VCID-zcs7-y5wt-k7dk","summary":"The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted BMP image, a different vulnerability than CVE-2016-8694 and CVE-2016-8696.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8695","reference_id":"","reference_type":"","scores":[{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.5179","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51848","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51857","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51836","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51804","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51823","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8695"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8695","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8695"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8695"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zcs7-y5wt-k7dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98562?format=json","vulnerability_id":"VCID-zk8j-p296-dqa5","summary":"Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to have unspecified impact via a crafted BMP image, a different vulnerability than CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, and CVE-2016-8703.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8702","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68642","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.6865","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68627","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68645","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8702"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8702","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124002?format=json","purl":"pkg:deb/debian/potrace@1.13-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.13-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/123995?format=json","purl":"pkg:deb/debian/potrace@1.16-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}],"aliases":["CVE-2016-8702"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zk8j-p296-dqa5"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/potrace@1.16-2%3Fdistro=trixie"}