Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/total.js@1.9.6-9
Typenpm
Namespace
Nametotal.js
Version1.9.6-9
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.4.8
Latest_non_vulnerable_version3.4.9
Affected_by_vulnerabilities
0
url VCID-2vcv-em7r-4baf
vulnerability_id VCID-2vcv-em7r-4baf
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-10260
reference_id
reference_type
scores
0
value 0.00328
scoring_system epss
scoring_elements 0.56045
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-10260
1
reference_url https://github.com/totaljs/cms/commit/75205f93009db3cf8c0b0f4f1fc8ab82d70da8ad
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/cms/commit/75205f93009db3cf8c0b0f4f1fc8ab82d70da8ad
2
reference_url https://github.com/totaljs/cms/commit/8b9d7dada998c08d172481d9f0fc0397c4b3c78d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/cms/commit/8b9d7dada998c08d172481d9f0fc0397c4b3c78d
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-10260
reference_id CVE-2019-10260
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-10260
4
reference_url https://github.com/advisories/GHSA-72p5-2r6g-fm6v
reference_id GHSA-72p5-2r6g-fm6v
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-72p5-2r6g-fm6v
fixed_packages
0
url pkg:npm/total.js@3.3.0-13
purl pkg:npm/total.js@3.3.0-13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-528e-s8wc-6ydu
1
vulnerability VCID-wmct-kms3-23hk
2
vulnerability VCID-xkck-dyh3-cfaq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.3.0-13
aliases CVE-2019-10260, GHSA-72p5-2r6g-fm6v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2vcv-em7r-4baf
1
url VCID-528e-s8wc-6ydu
vulnerability_id VCID-528e-s8wc-6ydu
summary 
Code Injection
The package `total.js` is vulnerable to Remote Code Execution (RCE) via `set`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-23344
reference_id
reference_type
scores
0
value 0.12679
scoring_system epss
scoring_elements 0.94112
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-23344
1
reference_url https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04
2
reference_url https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23344
reference_id CVE-2021-23344
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23344
fixed_packages
0
url pkg:npm/total.js@3.4.8
purl pkg:npm/total.js@3.4.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.4.8
aliases CVE-2021-23344, GHSA-3wj8-vp9h-rm6m
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-528e-s8wc-6ydu
2
url VCID-gj61-mm9w-9ufd
vulnerability_id VCID-gj61-mm9w-9ufd
summary 
Path Traversal
`index.js` in Total.js Platform allows path traversal.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-8903
reference_id
reference_type
scores
0
value 0.53251
scoring_system epss
scoring_elements 0.98024
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-8903
1
reference_url https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903
2
reference_url https://github.com/advisories/GHSA-3q32-j57w-q4w7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-3q32-j57w-q4w7
3
reference_url https://github.com/totaljs/framework
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework
4
reference_url https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7
5
reference_url https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b
6
reference_url https://www.npmjs.com/advisories/1026
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1026
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-8903
reference_id CVE-2019-8903
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-8903
fixed_packages
0
url pkg:npm/total.js@3.2.3
purl pkg:npm/total.js@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2vcv-em7r-4baf
1
vulnerability VCID-528e-s8wc-6ydu
2
vulnerability VCID-wmct-kms3-23hk
3
vulnerability VCID-xkck-dyh3-cfaq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.2.3
aliases CVE-2019-8903, GHSA-3q32-j57w-q4w7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gj61-mm9w-9ufd
3
url VCID-wmct-kms3-23hk
vulnerability_id VCID-wmct-kms3-23hk
summary 
Command Injection
This affects the package `total.js` The issue occurs in the `image.pipe` and `image.stream` functions. The type parameter is used to build the command that is then executed using `child_process.spawn.` The issue occurs because `child_process.spawn` is called with the option shell set to true and because the type parameter is not properly sanitized.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-28494
reference_id
reference_type
scores
0
value 0.01199
scoring_system epss
scoring_elements 0.79228
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-28494
1
reference_url https://github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5
2
reference_url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046672
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046672
3
reference_url https://www.npmjs.com/package/total.js
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/total.js
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28494
reference_id CVE-2020-28494
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-28494
fixed_packages
0
url pkg:npm/total.js@3.4.7
purl pkg:npm/total.js@3.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-528e-s8wc-6ydu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.4.7
aliases CVE-2020-28494, GHSA-4449-hg37-77v8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wmct-kms3-23hk
4
url VCID-xkck-dyh3-cfaq
vulnerability_id VCID-xkck-dyh3-cfaq
summary 
Improperly Controlled Modification of Object Prototype Attributes
The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-28495
reference_id
reference_type
scores
0
value 0.06091
scoring_system epss
scoring_elements 0.90925
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-28495
1
reference_url https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set
2
reference_url https://github.com/totaljs/framework/blob/master/utils.js%23L6606
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/blob/master/utils.js%23L6606
3
reference_url https://github.com/totaljs/framework/blob/master/utils.js%23L6617
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/blob/master/utils.js%23L6617
4
reference_url https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff
5
reference_url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671
6
reference_url https://www.npmjs.com/package/total.js
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/total.js
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28495
reference_id CVE-2020-28495
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-28495
fixed_packages
0
url pkg:npm/total.js@3.4.7
purl pkg:npm/total.js@3.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-528e-s8wc-6ydu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/total.js@3.4.7
aliases CVE-2020-28495, GHSA-6cf8-qhqj-vjqm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xkck-dyh3-cfaq
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/total.js@1.9.6-9