{"url":"http://public2.vulnerablecode.io/api/packages/195385?format=json","purl":"pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4","type":"deb","namespace":"debian","name":"erlang","version":"1:25.2.3+dfsg-1+deb12u4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1:27.3.4.12+dfsg-1","latest_non_vulnerable_version":"1:27.3.4.12+dfsg-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59297?format=json","vulnerability_id":"VCID-2uh8-nhph-gfb6","summary":"erlang: Erlang OTP public_key: Certificate chain forgery via improper trust chain validation","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42789.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42789.json"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42789","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42789"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482093","reference_id":"2482093","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482093"},{"reference_url":"https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db","reference_id":"471cd2f664300a95353c467873800bbe706005db","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/"}],"url":"https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db"},{"reference_url":"https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd","reference_id":"59c8d824386b2eb1614ff9340624843ef6aca0fd","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/"}],"url":"https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2026-42789.html","reference_id":"CVE-2026-42789.html","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/"}],"url":"https://cna.erlef.org/cves/CVE-2026-42789.html"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2026-42789","reference_id":"EEF-CVE-2026-42789","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-42789"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq","reference_id":"GHSA-c99q-jmpx-v8qq","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T15:41:47Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195831?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1"}],"aliases":["CVE-2026-42789"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2uh8-nhph-gfb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66632?format=json","vulnerability_id":"VCID-883b-48uw-6yag","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.  The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.  Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.  If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.  This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.  This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32147"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004","reference_id":"28c5d5a6c5f873dc701b597276271763e7d1c004","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:11:06Z/"}],"url":"https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2026-32147.html","reference_id":"CVE-2026-32147.html","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:11:06Z/"}],"url":"https://cna.erlef.org/cves/CVE-2026-32147.html"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2026-32147","reference_id":"EEF-CVE-2026-32147","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:11:06Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-32147"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5","reference_id":"GHSA-28jg-mw9x-hpm5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:11:06Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:11:06Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195831?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1"}],"aliases":["CVE-2026-32147"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-883b-48uw-6yag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66612?format=json","vulnerability_id":"VCID-b3hg-mjga-nbg1","summary":"inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000107.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000107.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000107","reference_id":"","reference_type":"","scores":[{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.60987","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000107"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000107","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000107"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:P/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115086","reference_id":"1115086","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115086"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1824460","reference_id":"1824460","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1824460"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195830?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.1%2Bdfsg-1%2Bdeb13u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-aqqx-g7d3-1yfy"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-n6dc-39d1-83cr"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.1%252Bdfsg-1%252Bdeb13u2"}],"aliases":["CVE-2016-1000107"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b3hg-mjga-nbg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/63450?format=json","vulnerability_id":"VCID-dazh-ypb5-akfp","summary":"erlang/otp: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28810.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28810.json"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28810","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28810"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455868","reference_id":"2455868","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455868"},{"reference_url":"https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5","reference_id":"36f23c9d2cc54afe83671dd7343596d7972839a5","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5"},{"reference_url":"https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8","reference_id":"b057a9d995017b1be50d6dc02edd52382f3231b8","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2026-28810.html","reference_id":"CVE-2026-28810.html","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://cna.erlef.org/cves/CVE-2026-28810.html"},{"reference_url":"https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd","reference_id":"dd15e8eb03548c5e55e9915f0e91389ec6bad9fd","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2026-28810","reference_id":"EEF-CVE-2026-28810","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-28810"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8","reference_id":"GHSA-v884-5jg5-whj8","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:27:52Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195831?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1"}],"aliases":["CVE-2026-28810"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dazh-ypb5-akfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/63447?format=json","vulnerability_id":"VCID-ryy7-f45d-yyhv","summary":"erlang/otp: inets: Erlang OTP inets modules: Unauthenticated access to protected CGI scripts via incorrect authorization","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28808.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28808.json"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28808","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28808"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455909","reference_id":"2455909","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455909"},{"reference_url":"https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688","reference_id":"8fc71ac6af4fbcc54103bec2983ef22e82942688","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T13:14:10Z/"}],"url":"https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"},{"reference_url":"https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c","reference_id":"9dfa0c51eac97866078e808dec2183cb7871ff7c","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T13:14:10Z/"}],"url":"https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2026-28808.html","reference_id":"CVE-2026-28808.html","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T13:14:10Z/"}],"url":"https://cna.erlef.org/cves/CVE-2026-28808.html"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2026-28808","reference_id":"EEF-CVE-2026-28808","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T13:14:10Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-28808"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f","reference_id":"GHSA-3vhp-h532-mc3f","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T13:14:10Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T13:14:10Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195831?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1"}],"aliases":["CVE-2026-28808"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ryy7-f45d-yyhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66633?format=json","vulnerability_id":"VCID-wsby-unw4-zqe7","summary":"Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification.  Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com):  First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName.  Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback.  The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher.  This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42790"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759","reference_id":"0769050c69d73762672b0db1347b6993a5b31759","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759"},{"reference_url":"https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a","reference_id":"21abed64eb2026b5f82f432709e4e932f9be389a","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2026-42790.html","reference_id":"CVE-2026-42790.html","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://cna.erlef.org/cves/CVE-2026-42790.html"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2026-42790","reference_id":"EEF-CVE-2026-42790","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-42790"},{"reference_url":"https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457","reference_id":"fb67c6d1836f51105a96d8b769e71e4215a79457","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447","reference_id":"GHSA-22cw-4ph4-6447","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T17:31:50Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195831?format=json","purl":"pkg:deb/debian/erlang@1:27.3.4.12%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:27.3.4.12%252Bdfsg-1"}],"aliases":["CVE-2026-42790"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsby-unw4-zqe7"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66623?format=json","vulnerability_id":"VCID-dccw-cx8r-r7a1","summary":"Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46712","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46712"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104963","reference_id":"1104963","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104963"},{"reference_url":"https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83","reference_id":"e4b56a9f4a511aa9990dd86c16c61439c828df83","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T20:02:52Z/"}],"url":"https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf","reference_id":"GHSA-934x-xq38-hhqf","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T20:02:52Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf"},{"reference_url":"https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21","reference_id":"OTP-25.3.2.21","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T20:02:52Z/"}],"url":"https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21"},{"reference_url":"https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12","reference_id":"OTP-26.2.5.12","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T20:02:52Z/"}],"url":"https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12"},{"reference_url":"https://github.com/erlang/otp/releases/tag/OTP-27.3.4","reference_id":"OTP-27.3.4","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T20:02:52Z/"}],"url":"https://github.com/erlang/otp/releases/tag/OTP-27.3.4"},{"reference_url":"https://usn.ubuntu.com/7656-1/","reference_id":"USN-7656-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7656-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195385?format=json","purl":"pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-b3hg-mjga-nbg1"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4"}],"aliases":["CVE-2025-46712"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dccw-cx8r-r7a1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66626?format=json","vulnerability_id":"VCID-yyfx-f783-fqgk","summary":"Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48040.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48040.json"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48040","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48040"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/erlang/otp/pull/10162","reference_id":"10162","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://github.com/erlang/otp/pull/10162"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115091","reference_id":"1115091","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115091"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394521","reference_id":"2394521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394521"},{"reference_url":"https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a","reference_id":"548f1295d86d0803da884db8685cc16d461d0d5a","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a"},{"reference_url":"https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a","reference_id":"7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"},{"reference_url":"https://cna.erlef.org/cves/CVE-2025-48040.html","reference_id":"CVE-2025-48040.html","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://cna.erlef.org/cves/CVE-2025-48040.html"},{"reference_url":"https://osv.dev/vulnerability/EEF-CVE-2025-48040","reference_id":"EEF-CVE-2025-48040","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://osv.dev/vulnerability/EEF-CVE-2025-48040"},{"reference_url":"https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph","reference_id":"GHSA-h7rg-6rjg-4cph","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph"},{"reference_url":"https://usn.ubuntu.com/7831-1/","reference_id":"USN-7831-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7831-1/"},{"reference_url":"https://www.erlang.org/doc/system/versions.html#order-of-versions","reference_id":"versions.html#order-of-versions","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-11T13:30:33Z/"}],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195385?format=json","purl":"pkg:deb/debian/erlang@1:25.2.3%2Bdfsg-1%2Bdeb12u4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uh8-nhph-gfb6"},{"vulnerability":"VCID-883b-48uw-6yag"},{"vulnerability":"VCID-b3hg-mjga-nbg1"},{"vulnerability":"VCID-dazh-ypb5-akfp"},{"vulnerability":"VCID-ryy7-f45d-yyhv"},{"vulnerability":"VCID-wsby-unw4-zqe7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4"}],"aliases":["CVE-2025-48040"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyfx-f783-fqgk"}],"risk_score":"2.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/erlang@1:25.2.3%252Bdfsg-1%252Bdeb12u4"}