Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/20239?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/20239?format=api", "purl": "pkg:pypi/xml2rfc@3.12.4", "type": "pypi", "namespace": "", "name": "xml2rfc", "version": "3.12.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.30.2", "latest_non_vulnerable_version": "3.30.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360590?format=api", "vulnerability_id": "VCID-7h51-2ny1-z7fd", "summary": "xml2rfc has file inclusion irregularities\nVersion [3.12.0](https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md#3120---2021-12-08) changed `xml2rfc` so that it would not access local files without the presence of its new `--allow-local-file-access` flag.\nThis prevented XML External Entity (XXE) injection attacks with `xinclude` and XML entity references.\n\nIt was discovered that `xml2rfc` does not respect `--allow-local-file-access` when a local file is specified as `src` in `artwork` or `sourcecode` elements. Furthermore, XML entity references can include any file inside the source dir and below without using the `--allow-local-file-access` flag. \n\nThe `xml2rfc <= 3.26.0` behaviour:\n\n| | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` |\n|---|---|---|---|---|\n| without `--allow-local-file-access` flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below |\n| with `--allow-local-file-access` flag | Access any file on filesystem[^1] | Access any file on filesystem[^1] | Access source directory and below | Access source directory and below | Access source directory and below |\n\n [^1]: Access any file of the filesystem with the permissions of the user running `xml2rfc` can access.\n\n### Impact\n\nAnyone running `xml2rfc` as a service that accepts input from external users is impacted by this issue.\nSpecifying a file in `src` attribute in `artwork` or `sourcecode` elements will cause the contents of that file to appear in xml2rfc’s output results.\nBut that file has to be inside the same directory as the XML input source file.\nFor `artwork` and `sourcecode`, `xml2rfc` will not look above the source file directory.\n\n### The proposed new behaviour\n- Generalize file access checks.\n- Only allow access to files within src dir and below. (xml entity include can access templates dir).\n- Always allow access to `templates_dir` for XML entity includes.\n\nNew behaviour:\n\n| | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` |\n|---|---|---|---|---|\n| without `--allow-local-file-access` flag | No filesystem access | No filesystem access _(except for `templates_dir`)_ | No filesystem access | No filesystem access |\n| with `--allow-local-file-access` flag | Access source directory and below | Access source directory and below _(Can access`templates_dir`)._ | Access source directory and below | Access source directory and below |\n\n### Workarounds\n\nUse a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.", "references": [ { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/commit/ec98f9cb4b9a8658222117df037dda473ca3f4e4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/commit/ec98f9cb4b9a8658222117df037dda473ca3f4e4" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-432c-wxpg-m4q3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-432c-wxpg-m4q3" }, { "reference_url": "https://github.com/advisories/GHSA-432c-wxpg-m4q3", "reference_id": "GHSA-432c-wxpg-m4q3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-432c-wxpg-m4q3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377301?format=api", "purl": "pkg:pypi/xml2rfc@3.27.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96zb-v69y-7udq" }, { "vulnerability": "VCID-hzv3-nqaf-ckcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.27.0" } ], "aliases": [ "GHSA-432c-wxpg-m4q3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7h51-2ny1-z7fd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360548?format=api", "vulnerability_id": "VCID-96zb-v69y-7udq", "summary": "xml2rfc is vulnerable to arbitrary file reads through prepped files\n### Impact\n\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.\n\n### Workarounds\n\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### References\nThis is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11059", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51635", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11059" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11059", "reference_id": "CVE-2025-11059", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11059" }, { "reference_url": "https://github.com/advisories/GHSA-9mv7-3c64-mmqw", "reference_id": "GHSA-9mv7-3c64-mmqw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9mv7-3c64-mmqw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376811?format=api", "purl": "pkg:pypi/xml2rfc@3.30.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.30.2" } ], "aliases": [ "CVE-2025-11059", "GHSA-9mv7-3c64-mmqw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-96zb-v69y-7udq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360661?format=api", "vulnerability_id": "VCID-hzv3-nqaf-ckcx", "summary": "xml2rfc has an arbitrary file read vulnerability\n### Impact\nWhen generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.\n\n### Workarounds\nTest untrusted input with `link` elements with `rel=\"attachment\"` before processing.\n\n### Credits\nThis vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11058", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50422", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-11058" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/commit/f2b245bc0aeeac0667c8f74e976c466c5991f0e4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/commit/f2b245bc0aeeac0667c8f74e976c466c5991f0e4" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11058", "reference_id": "CVE-2025-11058", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11058" }, { "reference_url": "https://github.com/advisories/GHSA-cfmv-h8fx-85m7", "reference_id": "GHSA-cfmv-h8fx-85m7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cfmv-h8fx-85m7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377665?format=api", "purl": "pkg:pypi/xml2rfc@3.30.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96zb-v69y-7udq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.30.1" } ], "aliases": [ "CVE-2025-11058", "GHSA-cfmv-h8fx-85m7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hzv3-nqaf-ckcx" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208926?format=api", "vulnerability_id": "VCID-vbea-2gtz-6qe9", "summary": "SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc", "references": [ { "reference_url": "https://github.com/ietf-tools/xml2rfc", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc" }, { "reference_url": "https://github.com/advisories/GHSA-cf4q-4cqr-7g7w", "reference_id": "GHSA-cf4q-4cqr-7g7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cf4q-4cqr-7g7w" }, { "reference_url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cf4q-4cqr-7g7w", "reference_id": "GHSA-cf4q-4cqr-7g7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cf4q-4cqr-7g7w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20239?format=api", "purl": "pkg:pypi/xml2rfc@3.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7h51-2ny1-z7fd" }, { "vulnerability": "VCID-96zb-v69y-7udq" }, { "vulnerability": "VCID-hzv3-nqaf-ckcx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.12.4" } ], "aliases": [ "GHSA-cf4q-4cqr-7g7w", "GMS-2022-988" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vbea-2gtz-6qe9" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/xml2rfc@3.12.4" }