{"url":"http://public2.vulnerablecode.io/api/packages/24017?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1?distro=trixie","type":"deb","namespace":"debian","name":"apt-cacher-ng","version":"3.7.5-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.7.5-1.1","latest_non_vulnerable_version":"3.7.5-1.1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/203471?format=json","vulnerability_id":"VCID-4taz-4tht-9qf1","summary":"Cross-site scripting (XSS) vulnerability in job.cc in apt-cacher-ng 0.7.26 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-4510","reference_id":"","reference_type":"","scores":[{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50609","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.50743","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00268","scoring_system":"epss","scoring_elements":"0.5076","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-4510"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4510","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4510"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24014?format=json","purl":"pkg:deb/debian/apt-cacher-ng@0.7.26-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@0.7.26-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24015?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.6.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.6.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24013?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24017?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24016?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1.1%3Fdistro=trixie"}],"aliases":["CVE-2014-4510"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4taz-4tht-9qf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121819?format=json","vulnerability_id":"VCID-77a7-ahg4-mkd6","summary":"Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-11146","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07944","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07979","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07977","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-11146"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11146","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11146"},{"reference_url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-apt-cacher-ng","reference_id":"multiple-vulnerabilities-apt-cacher-ng","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-29T11:18:04Z/"}],"url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-apt-cacher-ng"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24017?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24016?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1.1%3Fdistro=trixie"}],"aliases":["CVE-2025-11146"],"risk_score":1.2,"exploitability":"0.5","weighted_severity":"2.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-77a7-ahg4-mkd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205291?format=json","vulnerability_id":"VCID-9bb1-psxg-57aw","summary":"apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7443","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47527","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47668","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47683","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-7443"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7443","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7443"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858739","reference_id":"858739","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858739"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858833","reference_id":"858833","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858833"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24018?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24015?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.6.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.6.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24013?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24017?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24016?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1.1%3Fdistro=trixie"}],"aliases":["CVE-2017-7443"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9bb1-psxg-57aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208011?format=json","vulnerability_id":"VCID-dtcs-774a-z7gj","summary":"apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit SocketPath=/var/run/apt-cacher-ng/socket command-line option is passed. The cron job /etc/cron.daily/apt-cacher-ng (which is active by default) attempts this periodically. Because 3142 is an unprivileged port, any local user can try to bind to this port and will receive requests from acngtool. There can be sensitive data in these requests, e.g., if AdminAuth is enabled in /etc/apt-cacher-ng/security.conf. This sensitive data can leak to unprivileged local users that manage to bind to this port before the apt-cacher-ng daemon can.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5202","reference_id":"","reference_type":"","scores":[{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.2179","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.2198","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21991","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5202"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24020?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.3.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.3.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24015?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.6.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.6.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24013?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24017?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24016?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1.1%3Fdistro=trixie"}],"aliases":["CVE-2020-5202"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dtcs-774a-z7gj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210639?format=json","vulnerability_id":"VCID-sr8g-6pfk-pqaq","summary":"The apt-cacher-ng package of openSUSE Leap 15.1 runs operations in user owned directory /run/apt-cacher-ng with root privileges. This can allow local attackers to influence the outcome of these operations. This issue affects: openSUSE Leap 15.1 apt-cacher-ng versions prior to 3.1-lp151.3.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18899","reference_id":"","reference_type":"","scores":[{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30503","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30699","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30718","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18899"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24019?format=json","purl":"pkg:deb/debian/apt-cacher-ng@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24015?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.6.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.6.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24013?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-77a7-ahg4-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24017?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/24016?format=json","purl":"pkg:deb/debian/apt-cacher-ng@3.7.5-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1.1%3Fdistro=trixie"}],"aliases":["CVE-2019-18899"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sr8g-6pfk-pqaq"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apt-cacher-ng@3.7.5-1%3Fdistro=trixie"}