Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/186331?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/186331?format=api", "purl": "pkg:npm/mermaid@8.0.0-alpha.3", "type": "npm", "namespace": "", "name": "mermaid", "version": "8.0.0-alpha.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "10.9.4", "latest_non_vulnerable_version": "11.10.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/32656?format=api", "vulnerability_id": "VCID-9hch-63av-c3e2", "summary": "Cross-Site Scripting in mermaid\nVersions of `mermaid` prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as `A[\"<img src=invalid onerror=alert('XSS')></img>\"] ` is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.\n\n\n## Recommendation\n\nUpgrade to version 8.2.3 or later", "references": [ { "reference_url": "https://github.com/knsv/mermaid", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/knsv/mermaid" }, { "reference_url": "https://github.com/knsv/mermaid/issues/847", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/knsv/mermaid/issues/847" }, { "reference_url": "https://www.npmjs.com/advisories/751", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/751" }, { "reference_url": "https://github.com/advisories/GHSA-w32g-5hqp-gg6q", "reference_id": "GHSA-w32g-5hqp-gg6q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w32g-5hqp-gg6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36454?format=api", "purl": "pkg:npm/mermaid@8.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6qac-5y2d-akdd" }, { "vulnerability": "VCID-fgz4-kbun-23bn" }, { "vulnerability": "VCID-fwuk-z3uk-1ygf" }, { "vulnerability": "VCID-x94b-cysu-4fbe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.2.3" } ], "aliases": [ "GHSA-w32g-5hqp-gg6q", "GMS-2020-747" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9hch-63av-c3e2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11926?format=api", "vulnerability_id": "VCID-fgz4-kbun-23bn", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams., malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43861", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65764", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.6562", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65669", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65699", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65664", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65715", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65728", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65749", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65735", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65705", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65741", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65754", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.6574", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43861" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861" }, { "reference_url": "https://github.com/mermaid-js/mermaid", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid" }, { "reference_url": "https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83" }, { "reference_url": "https://github.com/mermaid-js/mermaid/releases/tag/8.13.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/releases/tag/8.13.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43861", "reference_id": "CVE-2021-43861", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43861" }, { "reference_url": "https://github.com/advisories/GHSA-p3rp-vmj9-gv6v", "reference_id": "GHSA-p3rp-vmj9-gv6v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p3rp-vmj9-gv6v" }, { "reference_url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v", "reference_id": "GHSA-p3rp-vmj9-gv6v", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42831?format=api", "purl": "pkg:npm/mermaid@8.13.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6qac-5y2d-akdd" }, { "vulnerability": "VCID-fwuk-z3uk-1ygf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.13.8" } ], "aliases": [ "CVE-2021-43861", "GHSA-p3rp-vmj9-gv6v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fgz4-kbun-23bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12356?format=api", "vulnerability_id": "VCID-fwuk-z3uk-1ygf", "summary": "Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify\nThe following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.\n\nThis affects the built:\n\n- `dist/mermaid.min.js`\n- `dist/mermaid.js`\n- `dist/mermaid.esm.mjs`\n- `dist/mermaid.esm.min.mjs`\n\nThis will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js`\n\n**Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.**\n\n### Patches\n\n- `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00\n- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34", "references": [ { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674" }, { "reference_url": "https://github.com/mermaid-js/mermaid", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid" }, { "reference_url": "https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00" }, { "reference_url": "https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34" }, { "reference_url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf" }, { "reference_url": "https://github.com/advisories/GHSA-m4gq-x24j-jpmf", "reference_id": "GHSA-m4gq-x24j-jpmf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m4gq-x24j-jpmf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43983?format=api", "purl": "pkg:npm/mermaid@10.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-q79q-8yzx-p3f6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/570776?format=api", "purl": "pkg:npm/mermaid@11.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-q79q-8yzx-p3f6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.0.0-alpha.1" } ], "aliases": [ "GHSA-m4gq-x24j-jpmf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fwuk-z3uk-1ygf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10645?format=api", "vulnerability_id": "VCID-hbtz-4sw3-63dt", "summary": "Cross-Site Scripting\nIf malicious input such as `A[\"<img src=invalid onerror=alert('XSS')></img>\"]` is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.", "references": [ { "reference_url": "https://github.com/knsv/mermaid/issues/847", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/knsv/mermaid/issues/847" }, { "reference_url": "https://github.com/knsv/mermaid/issues/869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/knsv/mermaid/issues/869" }, { "reference_url": "https://www.npmjs.com/advisories/751", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/751" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36454?format=api", "purl": "pkg:npm/mermaid@8.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6qac-5y2d-akdd" }, { "vulnerability": "VCID-fgz4-kbun-23bn" }, { "vulnerability": "VCID-fwuk-z3uk-1ygf" }, { "vulnerability": "VCID-x94b-cysu-4fbe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.2.3" } ], "aliases": [ "GMS-2019-1" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hbtz-4sw3-63dt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36589?format=api", "vulnerability_id": "VCID-x94b-cysu-4fbe", "summary": "Cross-site Scripting in Mermaid\nMermaid before 8.11.0 allows XSS when the antiscript feature is used.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35513", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53886", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53854", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53905", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53904", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.5395", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53933", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53916", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53954", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.5396", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53941", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53907", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53919", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53832", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.53851", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00307", "scoring_system": "epss", "scoring_elements": "0.5388", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35513" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513" }, { "reference_url": "https://github.com/mermaid-js/mermaid/issues/2122", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/issues/2122" }, { "reference_url": "https://github.com/mermaid-js/mermaid/pull/2123", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/pull/2123" }, { "reference_url": "https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e" }, { "reference_url": "https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35513", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35513" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449", "reference_id": "990449", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449" }, { "reference_url": "https://github.com/advisories/GHSA-4f6x-49g2-99fm", "reference_id": "GHSA-4f6x-49g2-99fm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4f6x-49g2-99fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74520?format=api", "purl": "pkg:npm/mermaid@8.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6qac-5y2d-akdd" }, { "vulnerability": "VCID-fgz4-kbun-23bn" }, { "vulnerability": "VCID-fwuk-z3uk-1ygf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.11.0" } ], "aliases": [ "CVE-2021-35513", "GHSA-4f6x-49g2-99fm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x94b-cysu-4fbe" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.0.0-alpha.3" }