Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40theia/mini-browser@0.4.0-next.19d2d6c5
Typenpm
Namespace@theia
Namemini-browser
Version0.4.0-next.19d2d6c5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.9.0
Latest_non_vulnerable_version1.18.0
Affected_by_vulnerabilities
0
url VCID-bwk7-zs5k-qkex
vulnerability_id VCID-bwk7-zs5k-qkex
summary 
Insufficient Verification of Data Authenticity
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-17636
reference_id
reference_type
scores
0
value 0.0012
scoring_system epss
scoring_elements 0.30552
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-17636
1
reference_url https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747
2
reference_url https://github.com/eclipse-theia/theia/commit/b212d07f915df1509180944ee3132714bc2636bf
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse-theia/theia/commit/b212d07f915df1509180944ee3132714bc2636bf
3
reference_url https://github.com/eclipse-theia/theia/pull/7205
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse-theia/theia/pull/7205
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-17636
reference_id CVE-2019-17636
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-17636
5
reference_url https://github.com/advisories/GHSA-f7vx-j8mp-3h2x
reference_id GHSA-f7vx-j8mp-3h2x
reference_type
scores
url https://github.com/advisories/GHSA-f7vx-j8mp-3h2x
fixed_packages
0
url pkg:npm/%40theia/mini-browser@0.16.0
purl pkg:npm/%40theia/mini-browser@0.16.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dzh9-83r1-97c4
1
vulnerability VCID-s7ee-p5x1-1qfb
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540theia/mini-browser@0.16.0
aliases CVE-2019-17636, GHSA-f7vx-j8mp-3h2x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bwk7-zs5k-qkex
1
url VCID-dzh9-83r1-97c4
vulnerability_id VCID-dzh9-83r1-97c4
summary 
Inclusion of Functionality from Untrusted Control Sphere
In Eclipse Theia versions up to and including, in the notification messages there is no HTML escaping, so Javascript code can run.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-28162
reference_id
reference_type
scores
0
value 0.00172
scoring_system epss
scoring_elements 0.3828
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-28162
1
reference_url https://github.com/eclipse-theia/theia/blob/master/CHANGELOG.md#v100---26032020
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse-theia/theia/blob/master/CHANGELOG.md#v100---26032020
2
reference_url https://github.com/eclipse-theia/theia/issues/7283
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse-theia/theia/issues/7283
3
reference_url https://github.com/eclipse-theia/theia/pull/7289
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse-theia/theia/pull/7289
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-28162
reference_id CVE-2021-28162
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-28162
5
reference_url https://github.com/advisories/GHSA-c94v-8fff-73ph
reference_id GHSA-c94v-8fff-73ph
reference_type
scores
url https://github.com/advisories/GHSA-c94v-8fff-73ph
fixed_packages
0
url pkg:npm/%40theia/mini-browser@0.16.1
purl pkg:npm/%40theia/mini-browser@0.16.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-s7ee-p5x1-1qfb
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540theia/mini-browser@0.16.1
1
url pkg:npm/%40theia/mini-browser@1.0.0
purl pkg:npm/%40theia/mini-browser@1.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-s7ee-p5x1-1qfb
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540theia/mini-browser@1.0.0
aliases CVE-2021-28162, GHSA-c94v-8fff-73ph
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzh9-83r1-97c4
2
url VCID-s7ee-p5x1-1qfb
vulnerability_id VCID-s7ee-p5x1-1qfb
summary 
Cross-site Scripting
In Eclipse Theia versions up to and including, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-28161
reference_id
reference_type
scores
0
value 0.00201
scoring_system epss
scoring_elements 0.42087
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-28161
1
reference_url https://github.com/eclipse-theia/theia/issues/8794
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse-theia/theia/issues/8794
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-28161
reference_id CVE-2021-28161
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-28161
3
reference_url https://github.com/advisories/GHSA-cwg9-c9cr-p5fq
reference_id GHSA-cwg9-c9cr-p5fq
reference_type
scores
url https://github.com/advisories/GHSA-cwg9-c9cr-p5fq
fixed_packages
0
url pkg:npm/%40theia/mini-browser@1.8.1
purl pkg:npm/%40theia/mini-browser@1.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tgrp-u3wm-s3cb
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540theia/mini-browser@1.8.1
aliases CVE-2021-28161, GHSA-cwg9-c9cr-p5fq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s7ee-p5x1-1qfb
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540theia/mini-browser@0.4.0-next.19d2d6c5