{"url":"http://public2.vulnerablecode.io/api/packages/239119?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.0","type":"composer","namespace":"grumpydictator","name":"firefly-iii","version":"4.7.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.1.17","latest_non_vulnerable_version":"6.5.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41506?format=json","vulnerability_id":"VCID-1bnk-b65m-tqg6","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3819","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34031","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.33929","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3819"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/578f350498b75f31d321c78a608c7f7b3b7b07e9","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/578f350498b75f31d321c78a608c7f7b3b7b07e9"},{"reference_url":"https://huntr.dev/bounties/da82f7b6-4ffc-4109-87a4-a2a790bd44e5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/da82f7b6-4ffc-4109-87a4-a2a790bd44e5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3819","reference_id":"CVE-2021-3819","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3819"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59144?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.1"}],"aliases":["CVE-2021-3819","GHSA-356r-77q8-f64f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1bnk-b65m-tqg6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44820?format=json","vulnerability_id":"VCID-2xs8-eknt-gyap","summary":"Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1789","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40593","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40513","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1789"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T16:44:17Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/pull/7043","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/pull/7043"},{"reference_url":"https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T16:44:17Z/"}],"url":"https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1789","reference_id":"CVE-2023-1789","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1789"},{"reference_url":"https://github.com/advisories/GHSA-mwxw-hxvp-4r2r","reference_id":"GHSA-mwxw-hxvp-4r2r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mwxw-hxvp-4r2r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64495?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.7.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.7.18"},{"url":"http://public2.vulnerablecode.io/api/packages/64494?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/64496?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@6.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.1"}],"aliases":["CVE-2023-1789","GHSA-mwxw-hxvp-4r2r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2xs8-eknt-gyap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41640?format=json","vulnerability_id":"VCID-4hdz-bgf3-hqbz","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3901","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23779","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23683","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3901"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2"},{"reference_url":"https://huntr.dev/bounties/62508fdc-c26b-4312-bf75-fd3a3f997464","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/62508fdc-c26b-4312-bf75-fd3a3f997464"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3901","reference_id":"CVE-2021-3901","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3901"}],"fixed_packages":[],"aliases":["CVE-2021-3901","GHSA-rqgp-ccph-5w65"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hdz-bgf3-hqbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46788?format=json","vulnerability_id":"VCID-5as2-q475-7fgv","summary":"Firefly III allows webhooks HTML Injection.\nFirefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22075","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31815","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22075"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/28021aa711500bbada649de8fab9e72b4084ab21","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/28021aa711500bbada649de8fab9e72b4084ab21"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-17T16:31:14Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1"},{"reference_url":"https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22075","reference_id":"CVE-2024-22075","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22075"},{"reference_url":"https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/","reference_id":"front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-17T16:31:14Z/"}],"url":"https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/"},{"reference_url":"https://github.com/advisories/GHSA-vwv2-9wcj-64vx","reference_id":"GHSA-vwv2-9wcj-64vx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vwv2-9wcj-64vx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68418?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@6.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.1"}],"aliases":["CVE-2024-22075","GHSA-vwv2-9wcj-64vx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5as2-q475-7fgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44864?format=json","vulnerability_id":"VCID-6ydw-rfb3-hbe3","summary":"Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1788","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45462","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45393","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-1788"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T20:41:29Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30"},{"reference_url":"https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T20:41:29Z/"}],"url":"https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1788","reference_id":"CVE-2023-1788","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1788"},{"reference_url":"https://github.com/advisories/GHSA-h7vv-46p5-prmh","reference_id":"GHSA-h7vv-46p5-prmh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h7vv-46p5-prmh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64494?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.0"}],"aliases":["CVE-2023-1788","GHSA-h7vv-46p5-prmh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ydw-rfb3-hbe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51674?format=json","vulnerability_id":"VCID-7j5p-xwqv-k3cf","summary":"Cross-site Scripting\nFirefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during `attachments/edit/$file_id$` attachment editing.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13645","reference_id":"","reference_type":"","scores":[{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.5175","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51809","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13645"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/17a66b3056096244a2198a7351847d26cb7b37c5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/17a66b3056096244a2198a7351847d26cb7b37c5"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/issues/2337","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/issues/2337"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13645","reference_id":"CVE-2019-13645","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13645"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/239153?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cbss-79ng-p7an"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-q2aw-rbww-nqc7"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-v5yd-vwys-f7hv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17.3"},{"url":"http://public2.vulnerablecode.io/api/packages/58957?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17%2B3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v5yd-vwys-f7hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17%252B3"}],"aliases":["CVE-2019-13645","GHSA-5hpw-vcj2-prwg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7j5p-xwqv-k3cf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41335?format=json","vulnerability_id":"VCID-951v-qu7n-4ybp","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3729","reference_id":"","reference_type":"","scores":[{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30084","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30157","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3729"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/06d319cd71b7787aa919b3ba1ccf51e4ade67712","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/06d319cd71b7787aa919b3ba1ccf51e4ade67712"},{"reference_url":"https://huntr.dev/bounties/d32f3d5a-0738-41ba-89de-34f2a772de76","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/d32f3d5a-0738-41ba-89de-34f2a772de76"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3729","reference_id":"CVE-2021-3729","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3729"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/141591?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.0"}],"aliases":["CVE-2021-3729","GHSA-gp6w-ccqv-p7qr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-951v-qu7n-4ybp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41337?format=json","vulnerability_id":"VCID-ag6y-f8nh-5kej","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3730","reference_id":"","reference_type":"","scores":[{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2917","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29241","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3730"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/f80178b1b2b7864d17500a131d570c353c9a26f6","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/f80178b1b2b7864d17500a131d570c353c9a26f6"},{"reference_url":"https://huntr.dev/bounties/ea181323-51f8-46a2-a60f-6a401907feb7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/ea181323-51f8-46a2-a60f-6a401907feb7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3730","reference_id":"CVE-2021-3730","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3730"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/141591?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.0"}],"aliases":["CVE-2021-3730","GHSA-c676-mcw3-qg55"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ag6y-f8nh-5kej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51671?format=json","vulnerability_id":"VCID-b23p-cn7c-k7av","summary":"Cross-site Scripting\nFirefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during `attachments/view/$file_id$` attachment viewing.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13647","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42845","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42771","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13647"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/531161db0902154fed433bb33bdb2cabd61ae6dc","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/531161db0902154fed433bb33bdb2cabd61ae6dc"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/issues/2338","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/issues/2338"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13647","reference_id":"CVE-2019-13647","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13647"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/239153?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cbss-79ng-p7an"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-q2aw-rbww-nqc7"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-v5yd-vwys-f7hv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17.3"},{"url":"http://public2.vulnerablecode.io/api/packages/58957?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17%2B3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v5yd-vwys-f7hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17%252B3"}],"aliases":["CVE-2019-13647","GHSA-pcxq-28f6-m3fm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b23p-cn7c-k7av"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41244?format=json","vulnerability_id":"VCID-cbss-79ng-p7an","summary":"firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3663","reference_id":"","reference_type":"","scores":[{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36681","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36587","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3663"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/afc9f4b7ebc8a240c85864a6e1abda62bfeefae8","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/afc9f4b7ebc8a240c85864a6e1abda62bfeefae8"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/releases/tag/5.5.13","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/releases/tag/5.5.13"},{"reference_url":"https://huntr.dev/bounties/497bdf6d-7dba-49c3-8011-1c64dfbb3380","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/497bdf6d-7dba-49c3-8011-1c64dfbb3380"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3663","reference_id":"CVE-2021-3663","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3663"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58493?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.5.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.5.13"},{"url":"http://public2.vulnerablecode.io/api/packages/530422?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.0-alpha.1"}],"aliases":["CVE-2021-3663","GHSA-56cx-wf47-hx7w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cbss-79ng-p7an"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41339?format=json","vulnerability_id":"VCID-cpwr-nyyb-afdf","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3728","reference_id":"","reference_type":"","scores":[{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2917","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29241","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3728"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/14cdce113e0eb8090d09066fcd2b5cf03b5ac84e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/14cdce113e0eb8090d09066fcd2b5cf03b5ac84e"},{"reference_url":"https://huntr.dev/bounties/dd54c5a1-0d4a-4f02-a111-7ce4ddc67a4d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/dd54c5a1-0d4a-4f02-a111-7ce4ddc67a4d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3728","reference_id":"CVE-2021-3728","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3728"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/141591?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.0"}],"aliases":["CVE-2021-3728","GHSA-xp5q-77mh-6hm2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cpwr-nyyb-afdf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41709?format=json","vulnerability_id":"VCID-f1nj-u7yz-zycr","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3921","reference_id":"","reference_type":"","scores":[{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30101","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30173","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3921"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/47fa9e39561a9ec9e210e4023d090a7b33381684","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/47fa9e39561a9ec9e210e4023d090a7b33381684"},{"reference_url":"https://huntr.dev/bounties/724d3fd5-9f04-45c4-98d6-35a7d15468f5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/724d3fd5-9f04-45c4-98d6-35a7d15468f5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3921","reference_id":"CVE-2021-3921","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3921"},{"reference_url":"https://github.com/advisories/GHSA-q2cv-94xm-qvg4","reference_id":"GHSA-q2cv-94xm-qvg4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q2cv-94xm-qvg4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59544?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.3"}],"aliases":["CVE-2021-3921","GHSA-q2cv-94xm-qvg4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f1nj-u7yz-zycr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41639?format=json","vulnerability_id":"VCID-hbpp-jqk1-cubw","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3900","reference_id":"","reference_type":"","scores":[{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.46991","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47056","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3900"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/c2c8c42ef3194d1aeba8c48240fe2e9063f77635","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/c2c8c42ef3194d1aeba8c48240fe2e9063f77635"},{"reference_url":"https://huntr.dev/bounties/909e55b6-ef02-4143-92e4-bc3e8397db76","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/909e55b6-ef02-4143-92e4-bc3e8397db76"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3900","reference_id":"CVE-2021-3900","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3900"}],"fixed_packages":[],"aliases":["CVE-2021-3900","GHSA-pfj7-w373-gqch"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hbpp-jqk1-cubw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55372?format=json","vulnerability_id":"VCID-jfps-wzcx-vyfj","summary":"Firefly III has a MFA bypass in oauth flow\nA MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37893","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08441","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37893"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://owasp.org/www-community/attacks/Password_Spraying_Attack","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/"}],"url":"https://owasp.org/www-community/attacks/Password_Spraying_Attack"},{"reference_url":"https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/"}],"url":"https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37893","reference_id":"CVE-2024-37893","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37893"},{"reference_url":"https://github.com/advisories/GHSA-4gm4-c4mh-4p7w","reference_id":"GHSA-4gm4-c4mh-4p7w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4gm4-c4mh-4p7w"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w","reference_id":"GHSA-4gm4-c4mh-4p7w","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81870?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@6.1.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.17"}],"aliases":["CVE-2024-37893","GHSA-4gm4-c4mh-4p7w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jfps-wzcx-vyfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41809?format=json","vulnerability_id":"VCID-pvmv-dy5p-pkbn","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4005","reference_id":"","reference_type":"","scores":[{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36737","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36829","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4005"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053"},{"reference_url":"https://huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ff","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ff"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4005","reference_id":"CVE-2021-4005","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4005"},{"reference_url":"https://github.com/advisories/GHSA-hjhp-hwfj-hwf3","reference_id":"GHSA-hjhp-hwfj-hwf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjhp-hwfj-hwf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59713?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.5"}],"aliases":["CVE-2021-4005","GHSA-hjhp-hwfj-hwf3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pvmv-dy5p-pkbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53741?format=json","vulnerability_id":"VCID-q2aw-rbww-nqc7","summary":"Cross-site Scripting\nAn XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy headers are disabled.","references":[{"reference_url":"https://github.com/firefly-iii/firefly-iii/issues/3990","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/firefly-iii/firefly-iii/issues/3990"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-27981","reference_id":"CVE-2020-27981","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-27981"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79028?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cbss-79ng-p7an"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.4.5"}],"aliases":["CVE-2020-27981"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q2aw-rbww-nqc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54695?format=json","vulnerability_id":"VCID-t96s-982j-d3fr","summary":"Incorrect Authorization\nImproper Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0298","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37322","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.3723","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0298"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T18:41:12Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4"},{"reference_url":"https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T18:41:12Z/"}],"url":"https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0298","reference_id":"CVE-2023-0298","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0298"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64493?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.8.0"}],"aliases":["CVE-2023-0298","GHSA-7mc4-jp4f-v2j2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t96s-982j-d3fr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41607?format=json","vulnerability_id":"VCID-u76r-dx9g-5fcv","summary":"firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3846","reference_id":"","reference_type":"","scores":[{"value":"0.00237","scoring_system":"epss","scoring_elements":"0.46975","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00237","scoring_system":"epss","scoring_elements":"0.47041","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3846"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/a85b6420c19ace35134f896e094e1971d8c7954b","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/a85b6420c19ace35134f896e094e1971d8c7954b"},{"reference_url":"https://huntr.dev/bounties/5267ec1c-d204-40d2-bd4f-6c2dd495ee18","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/5267ec1c-d204-40d2-bd4f-6c2dd495ee18"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3846","reference_id":"CVE-2021-3846","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3846"},{"reference_url":"https://github.com/advisories/GHSA-5gq7-826w-8282","reference_id":"GHSA-5gq7-826w-8282","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5gq7-826w-8282"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59317?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.2"}],"aliases":["CVE-2021-3846","GHSA-5gq7-826w-8282"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u76r-dx9g-5fcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41445?format=json","vulnerability_id":"VCID-v5yd-vwys-f7hv","summary":"Improper Input Validation\nFirefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-14671","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16749","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16829","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-14671"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/e80d616ef4397e6e764f6b7b7a5b30121244933c","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/e80d616ef4397e6e764f6b7b7a5b30121244933c"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/issues/2367","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/issues/2367"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14671","reference_id":"CVE-2019-14671","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14671"},{"reference_url":"https://github.com/advisories/GHSA-jjcx-999m-35hc","reference_id":"GHSA-jjcx-999m-35hc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jjcx-999m-35hc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58958?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17%2B4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17%252B4"},{"url":"http://public2.vulnerablecode.io/api/packages/276569?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cbss-79ng-p7an"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-q2aw-rbww-nqc7"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17.4"}],"aliases":["CVE-2019-14671","GHSA-jjcx-999m-35hc"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v5yd-vwys-f7hv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51670?format=json","vulnerability_id":"VCID-v776-99j4-mua2","summary":"Cross-site Scripting\nFirefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the `tags/show/$tag_number$` tag summary page.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13644","reference_id":"","reference_type":"","scores":[{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.4525","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45319","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13644"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/def307010c388c4e92d7066671ad62e477cc087a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/def307010c388c4e92d7066671ad62e477cc087a"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/compare/76aa8ac...45b8c36","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-29T19:39:56Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/compare/76aa8ac...45b8c36"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/issues/2335","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-29T19:39:56Z/"}],"url":"https://github.com/firefly-iii/firefly-iii/issues/2335"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13644","reference_id":"CVE-2019-13644","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13644"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75777?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/239151?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-7j5p-xwqv-k3cf"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-b23p-cn7c-k7av"},{"vulnerability":"VCID-cbss-79ng-p7an"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-q2aw-rbww-nqc7"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-v5yd-vwys-f7hv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-xvtj-8abr-tuem"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17.1"}],"aliases":["CVE-2019-13644","GHSA-9xmx-rj7j-fv9q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v776-99j4-mua2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41787?format=json","vulnerability_id":"VCID-vkg3-xm11-3qdh","summary":"firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4015","reference_id":"","reference_type":"","scores":[{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36829","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36737","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4015"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/releases/tag/5.6.5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/releases/tag/5.6.5"},{"reference_url":"https://huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4015","reference_id":"CVE-2021-4015","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4015"},{"reference_url":"https://github.com/advisories/GHSA-g6vq-wc8w-4g69","reference_id":"GHSA-g6vq-wc8w-4g69","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g6vq-wc8w-4g69"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59690?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/59713?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.5"}],"aliases":["CVE-2021-4015","GHSA-g6vq-wc8w-4g69"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vkg3-xm11-3qdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41604?format=json","vulnerability_id":"VCID-wh6m-3mp3-gbfb","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nfirefly-iii is vulnerable to URL Redirection to Untrusted Site","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3851","reference_id":"","reference_type":"","scores":[{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37815","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37906","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3851"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/8662dfa4c0f71efef61c31dc015c6f723db8318d","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/8662dfa4c0f71efef61c31dc015c6f723db8318d"},{"reference_url":"https://huntr.dev/bounties/549a1040-9b5e-420b-9b80-20700dd9d592","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/549a1040-9b5e-420b-9b80-20700dd9d592"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3851","reference_id":"CVE-2021-3851","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3851"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59317?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@5.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.2"}],"aliases":["CVE-2021-3851","GHSA-5fvx-5p2r-4mvp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wh6m-3mp3-gbfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51673?format=json","vulnerability_id":"VCID-xvtj-8abr-tuem","summary":"Cross-site Scripting\nFirefly III is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13646","reference_id":"","reference_type":"","scores":[{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51809","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.5175","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-13646"},{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/commit/f795cb07e1bb9ad3bd0dceeafbb0ece4ebe518d7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/commit/f795cb07e1bb9ad3bd0dceeafbb0ece4ebe518d7"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/issues/2339","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/issues/2339"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13646","reference_id":"CVE-2019-13646","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13646"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/239153?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1bnk-b65m-tqg6"},{"vulnerability":"VCID-2xs8-eknt-gyap"},{"vulnerability":"VCID-4hdz-bgf3-hqbz"},{"vulnerability":"VCID-5as2-q475-7fgv"},{"vulnerability":"VCID-6ydw-rfb3-hbe3"},{"vulnerability":"VCID-951v-qu7n-4ybp"},{"vulnerability":"VCID-ag6y-f8nh-5kej"},{"vulnerability":"VCID-cbss-79ng-p7an"},{"vulnerability":"VCID-cpwr-nyyb-afdf"},{"vulnerability":"VCID-f1nj-u7yz-zycr"},{"vulnerability":"VCID-hbpp-jqk1-cubw"},{"vulnerability":"VCID-jfps-wzcx-vyfj"},{"vulnerability":"VCID-pvmv-dy5p-pkbn"},{"vulnerability":"VCID-q2aw-rbww-nqc7"},{"vulnerability":"VCID-t96s-982j-d3fr"},{"vulnerability":"VCID-u76r-dx9g-5fcv"},{"vulnerability":"VCID-v5yd-vwys-f7hv"},{"vulnerability":"VCID-vkg3-xm11-3qdh"},{"vulnerability":"VCID-wh6m-3mp3-gbfb"},{"vulnerability":"VCID-zyzb-95vu-bfbp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17.3"},{"url":"http://public2.vulnerablecode.io/api/packages/58957?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@4.7.17%2B3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v5yd-vwys-f7hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.17%252B3"}],"aliases":["CVE-2019-13646","GHSA-mrc2-h7q2-pp97"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xvtj-8abr-tuem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46920?format=json","vulnerability_id":"VCID-zyzb-95vu-bfbp","summary":"C5 Firefly III CSV Injection.\n### Summary\nCSV injection is a vulnerability where untrusted user input in CSV files can lead to unauthorized access or data manipulation. \nIn my subsequent testing of the application.\n\n### Details\nI discovered that there is an option to \"Export Data\" from the web app to your personal computer, which exports a \"csv\" file that can be opened with Excel software that supports macros.\n\nP.S \nI discovered that the web application's is offering a demo-site that anyone may access to play with the web application. So, there's a chance that someone will export the data (CVS) from the demo site and execute it on their PC, giving the malicious actor a complete control over their machine. (if a user enters a malicious payload to the website).\n\n### PoC\nYou can check out my vulnerability report if you need more details/PoC with screenshots: (removed by JC5)\n\n### Impact\nAn attacker can exploit this by entering a specially crafted payload to one of the fields, and when a user export the csv file using the \"Export Data\" function, the attacker can potentiality can RCE.\n\n### Addendum by JC5, the developer of Firefly III\nThere is zero impact on normal users, even on vulnerable versions.","references":[{"reference_url":"https://github.com/firefly-iii/firefly-iii","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii"},{"reference_url":"https://github.com/advisories/GHSA-29w6-c52g-m8jc","reference_id":"GHSA-29w6-c52g-m8jc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-29w6-c52g-m8jc"},{"reference_url":"https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc","reference_id":"GHSA-29w6-c52g-m8jc","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68662?format=json","purl":"pkg:composer/grumpydictator/firefly-iii@6.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jfps-wzcx-vyfj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.7"}],"aliases":["GHSA-29w6-c52g-m8jc","GMS-2024-52"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zyzb-95vu-bfbp"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.0"}