Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/222143?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/222143?format=api", "purl": "pkg:npm/buttle@0.1.0", "type": "npm", "namespace": "", "name": "buttle", "version": "0.1.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53138?format=api", "vulnerability_id": "VCID-bf1q-18bq-j7ca", "summary": "Cross-Site Scripting in buttle\nAll versions of `buttle` are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, `buttle` does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative module until a fix is made available.", "references": [ { "reference_url": "https://hackerone.com/reports/404126", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/404126" }, { "reference_url": "https://www.npmjs.com/advisories/810", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/810" }, { "reference_url": "https://github.com/advisories/GHSA-pqpp-2363-649v", "reference_id": "GHSA-pqpp-2363-649v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pqpp-2363-649v" } ], "fixed_packages": [], "aliases": [ "GHSA-pqpp-2363-649v", "GMS-2020-709" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bf1q-18bq-j7ca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40865?format=api", "vulnerability_id": "VCID-ccpq-g2bw-v7cr", "summary": "Cross-site Scripting\nXSS in buttle causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5422", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50322", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50282", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50343", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50351", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50332", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50303", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5422" }, { "reference_url": "https://github.com/advisories/GHSA-gm29-35c7-8cfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gm29-35c7-8cfw" }, { "reference_url": "https://hackerone.com/reports/331032", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/331032" }, { "reference_url": "https://hackerone.com/reports/331110", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/331110" }, { "reference_url": "https://www.npmjs.com/advisories/1009", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1009" }, { "reference_url": "https://www.npmjs.com/advisories/667", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/667" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5422", "reference_id": "CVE-2019-5422", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5422" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56017?format=api", "purl": "pkg:npm/buttle@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bf1q-18bq-j7ca" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/buttle@0.3.0" } ], "aliases": [ "CVE-2019-5422", "GHSA-gm29-35c7-8cfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ccpq-g2bw-v7cr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30608?format=api", "vulnerability_id": "VCID-rgvf-j9ut-nqcp", "summary": "Path Traversal\n[buttle] Path traversal in mid-buttle module allows to read any file in the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3766", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58067", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58101", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58116", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58127", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58119", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58118", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3766" }, { "reference_url": "https://github.com/advisories/GHSA-m8cr-q935-8j67", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m8cr-q935-8j67" }, { "reference_url": "https://hackerone.com/reports/358112", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/358112" }, { "reference_url": "https://www.npmjs.com/advisories/990", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/990" }, { "reference_url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/449.json", "reference_id": "449", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/449.json" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3766", "reference_id": "CVE-2018-3766", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3766" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56017?format=api", "purl": "pkg:npm/buttle@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bf1q-18bq-j7ca" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/buttle@0.3.0" } ], "aliases": [ "CVE-2018-3766", "GHSA-m8cr-q935-8j67" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgvf-j9ut-nqcp" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/buttle@0.1.0" }