{"url":"http://public2.vulnerablecode.io/api/packages/218557?format=json","purl":"pkg:npm/express-cart@1.1.1","type":"npm","namespace":"","name":"express-cart","version":"1.1.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41302?format=json","vulnerability_id":"VCID-145a-97vu-jyeg","summary":"Cross-Site Request Forgery (CSRF)\nThe express-cart package for Node.js allows CSRF.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-22403","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.33929","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34031","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-22403"},{"reference_url":"https://github.com/mrvautin/expressCart","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart"},{"reference_url":"https://github.com/mrvautin/expressCart/commit/cd3ba1bc609c2f2946bfbc7ee2fccf3483eb71fb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart/commit/cd3ba1bc609c2f2946bfbc7ee2fccf3483eb71fb"},{"reference_url":"https://github.com/mrvautin/expressCart/issues/120","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart/issues/120"},{"reference_url":"https://hackerone.com/reports/395944","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/395944"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210909-0004","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210909-0004"},{"reference_url":"https://www.npmjs.com/package/express-cart","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/express-cart"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-22403","reference_id":"CVE-2020-22403","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-22403"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58660?format=json","purl":"pkg:npm/express-cart@1.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eb7w-y953-67dy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.11"},{"url":"http://public2.vulnerablecode.io/api/packages/141759?format=json","purl":"pkg:npm/express-cart@1.1.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eb7w-y953-67dy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.17"}],"aliases":["CVE-2020-22403","GHSA-h5q8-5697-9p9h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-145a-97vu-jyeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43601?format=json","vulnerability_id":"VCID-2cjq-uzsm-1uer","summary":"express-cart allows any user to create an admin user\nExpress-Cart before 1.1.6 allows remote attackers to create an admin user via an `/admin/setup` Referer header.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12457","reference_id":"","reference_type":"","scores":[{"value":"0.00524","scoring_system":"epss","scoring_elements":"0.67341","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00524","scoring_system":"epss","scoring_elements":"0.67299","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12457"},{"reference_url":"https://github.com/mrvautin/expressCart","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart"},{"reference_url":"https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/469.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/469.json"},{"reference_url":"https://hackerone.com/reports/343626","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/343626"},{"reference_url":"https://snyk.io/vuln/npm:express-cart:20180712","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/npm:express-cart:20180712"},{"reference_url":"https://www.npmjs.com/advisories/730","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/730"},{"reference_url":"https://www.npmjs.com/package/express-cart?activeTab=versions","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/express-cart?activeTab=versions"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12457","reference_id":"CVE-2018-12457","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12457"},{"reference_url":"https://github.com/advisories/GHSA-hr89-w7p6-pjmq","reference_id":"GHSA-hr89-w7p6-pjmq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hr89-w7p6-pjmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57390?format=json","purl":"pkg:npm/express-cart@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-atgx-r2qy-8ufe"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-w999-rut7-z3cc"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.6"}],"aliases":["CVE-2018-12457","GHSA-hr89-w7p6-pjmq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2cjq-uzsm-1uer"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53028?format=json","vulnerability_id":"VCID-atgx-r2qy-8ufe","summary":"NoSQL injection in express-cart\nVersions of `express-cart` before 1.1.8 are vulnerable to NoSQL injection. \n\nThe vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. \n\nThese operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the `$regex` operator is used to guess each character of the token from the start.\n\n\n## Recommendation\n\nUpdate to version 1.1.8 or later.","references":[{"reference_url":"https://github.com/nodejs/security-wg","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg"},{"reference_url":"https://github.com/nodejs/security-wg/blob/master/vuln/npm/472.json","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/master/vuln/npm/472.json"},{"reference_url":"https://hackerone.com/reports/397445","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/397445"},{"reference_url":"https://www.npmjs.com/advisories/724","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/724"},{"reference_url":"https://github.com/advisories/GHSA-f5cv-xrv9-r8w7","reference_id":"GHSA-f5cv-xrv9-r8w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f5cv-xrv9-r8w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78014?format=json","purl":"pkg:npm/express-cart@1.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.8"}],"aliases":["GHSA-f5cv-xrv9-r8w7","GMS-2020-717"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-atgx-r2qy-8ufe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52999?format=json","vulnerability_id":"VCID-cftz-enwf-6uht","summary":"Relative Path Traversal in express-cart.","references":[{"reference_url":"https://hackerone.com/reports/343726","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/343726"},{"reference_url":"https://www.npmjs.com/advisories/676","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/676"},{"reference_url":"https://github.com/advisories/GHSA-8h8v-6qqm-fwpq","reference_id":"GHSA-8h8v-6qqm-fwpq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8h8v-6qqm-fwpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57390?format=json","purl":"pkg:npm/express-cart@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-atgx-r2qy-8ufe"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-w999-rut7-z3cc"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/6667?format=json","purl":"pkg:npm/express-cart@1.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-atgx-r2qy-8ufe"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.7"}],"aliases":["GHSA-8h8v-6qqm-fwpq","GMS-2020-715"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cftz-enwf-6uht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53145?format=json","vulnerability_id":"VCID-eb7w-y953-67dy","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart.","references":[{"reference_url":"https://hackerone.com/reports/395944","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/395944"},{"reference_url":"https://www.npmjs.com/advisories/808","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/808"},{"reference_url":"https://github.com/advisories/GHSA-9pr3-7449-977r","reference_id":"GHSA-9pr3-7449-977r","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9pr3-7449-977r"}],"fixed_packages":[],"aliases":["GHSA-9pr3-7449-977r","GMS-2020-716"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eb7w-y953-67dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41026?format=json","vulnerability_id":"VCID-ewh1-bpnm-8fh4","summary":"Privilege Escalation in express-cart\nVersions of `express-cart` before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users.\n\n\n## Recommendation\n\nUpdate to version 1.1.6 or later.","references":[{"reference_url":"https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b"},{"reference_url":"https://github.com/nodejs/security-wg/blob/master/vuln/npm/469.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/master/vuln/npm/469.json"},{"reference_url":"https://hackerone.com/reports/343626","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/343626"},{"reference_url":"https://snyk.io/vuln/npm:express-cart:20180712","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/npm:express-cart:20180712"},{"reference_url":"https://www.npmjs.com/advisories/730","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/730"},{"reference_url":"https://github.com/advisories/GHSA-3fc5-9x9m-vqc4","reference_id":"GHSA-3fc5-9x9m-vqc4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3fc5-9x9m-vqc4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57390?format=json","purl":"pkg:npm/express-cart@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-atgx-r2qy-8ufe"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-w999-rut7-z3cc"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.6"}],"aliases":["GHSA-3fc5-9x9m-vqc4","GMS-2019-122"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ewh1-bpnm-8fh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30604?format=json","vulnerability_id":"VCID-w999-rut7-z3cc","summary":"Path Traversal\nUnrestricted file upload (RCE)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3758","reference_id":"","reference_type":"","scores":[{"value":"0.00852","scoring_system":"epss","scoring_elements":"0.7527","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00852","scoring_system":"epss","scoring_elements":"0.753","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3758"},{"reference_url":"https://github.com/mrvautin/expressCart/commit/65b18cfe426fa217aa6ada1d4162891883137893","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mrvautin/expressCart/commit/65b18cfe426fa217aa6ada1d4162891883137893"},{"reference_url":"https://hackerone.com/reports/343726","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/343726"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/441.json","reference_id":"441","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/441.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3758","reference_id":"CVE-2018-3758","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3758"},{"reference_url":"https://github.com/advisories/GHSA-4w62-cq5r-5mmq","reference_id":"GHSA-4w62-cq5r-5mmq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w62-cq5r-5mmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6667?format=json","purl":"pkg:npm/express-cart@1.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-atgx-r2qy-8ufe"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.7"}],"aliases":["CVE-2018-3758","GHSA-4w62-cq5r-5mmq"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w999-rut7-z3cc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40656?format=json","vulnerability_id":"VCID-wk1m-n6h7-ufbv","summary":"Improper Privilege Management\nA deficiency in the access control in module express-cart allows unprivileged users to add new users to the application as administrators.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16483","reference_id":"","reference_type":"","scores":[{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.48207","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.4827","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16483"},{"reference_url":"https://github.com/advisories/GHSA-wj36-v8j4-pc7c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wj36-v8j4-pc7c"},{"reference_url":"https://hackerone.com/reports/343626","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/343626"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16483","reference_id":"CVE-2018-16483","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16483"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57390?format=json","purl":"pkg:npm/express-cart@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-145a-97vu-jyeg"},{"vulnerability":"VCID-atgx-r2qy-8ufe"},{"vulnerability":"VCID-eb7w-y953-67dy"},{"vulnerability":"VCID-w999-rut7-z3cc"},{"vulnerability":"VCID-wx6w-8yww-v3em"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.6"}],"aliases":["CVE-2018-16483","GHSA-wj36-v8j4-pc7c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wk1m-n6h7-ufbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54476?format=json","vulnerability_id":"VCID-wx6w-8yww-v3em","summary":"Cross-site Scripting\n(This issue is currently in DISPUTED state). The express-cart package for Node.js allows Reflected XSS (for an admin) via a user input field for product options. The vendor states that this \"would rely on an admin hacking his/her own website.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32573","reference_id":"","reference_type":"","scores":[{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43704","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43774","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32573"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32573","reference_id":"CVE-2021-32573","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32573"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58660?format=json","purl":"pkg:npm/express-cart@1.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eb7w-y953-67dy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.11"}],"aliases":["CVE-2021-32573"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wx6w-8yww-v3em"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.1"}