{"url":"http://public2.vulnerablecode.io/api/packages/35062?format=json","purl":"pkg:pypi/sentry@23.3.1","type":"pypi","namespace":"","name":"sentry","version":"23.3.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89700?format=json","vulnerability_id":"VCID-377t-5sem-dffh","summary":"Sentry: Improper authentication on SAML SSO process allows user identity linking\n### Impact\nA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.\n\nThe vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.\n\nFor self-hosted users, you are only vulnerable if the following conditions are met:\n- You have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False).\n- A malicious user has existing access and permissions to modify SSO settings for another organization in your multo-organization instance. \n\n### Patches\n- [Sentry SaaS](https://sentry.io/): The fix was deployed on February 18, 2026. No action is required.\n- [Self-Hosted Sentry](https://github.com/getsentry/self-hosted): If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. We recommend upgrading to version 26.2.0 or higher.\n\n### Workarounds\nUser account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.\n\nYou can manage your two-factor authentication settings on your Account Settings > [Security](https://sentry.io/settings/account/security/) page. For step-by-step details, please see our [helpdesk article](https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27197","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18563","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18462","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18442","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18524","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18559","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27197"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://github.com/getsentry/sentry/pull/108458","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry/pull/108458"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-ggmg-cqg6-j45g","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-24T18:59:48Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-ggmg-cqg6-j45g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27197","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27197"},{"reference_url":"https://github.com/advisories/GHSA-ggmg-cqg6-j45g","reference_id":"GHSA-ggmg-cqg6-j45g","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ggmg-cqg6-j45g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126266?format=json","purl":"pkg:pypi/sentry@26.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@26.2.0"}],"aliases":["CVE-2026-27197","GHSA-ggmg-cqg6-j45g"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-377t-5sem-dffh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89917?format=json","vulnerability_id":"VCID-9v4x-4rxd-sfhj","summary":"Sentry's improper authentication on SAML SSO process allows user identity linking\n### Impact\nA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program.\n\nThe vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.\n\nSelf-hosted users are only vulnerable if the following conditions are met:\n- They have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False).\n- A malicious user has existing access and permissions to modify SSO settings for another organization in their multi-organization instance. \n\n### Patches\n- [Sentry SaaS](https://sentry.io/): The fix was deployed in April. No action is required.\n- [Self-Hosted Sentry](https://github.com/getsentry/self-hosted): If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Sentry recommends upgrading to version 26.4.1 or higher.\n\n### Workarounds\nUser account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.\n\nUsers can manage their two-factor authentication settings through Account Settings > [Security](https://sentry.io/settings/account/security/) page. For step-by-step details, please see the Sentry [helpdesk article](https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account).\n\n### Resources\n\n- https://github.com/getsentry/sentry/pull/113720 \n\nPlease note that this is distinct vulnerability from the similar https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w from 2025.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42354","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0158","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01578","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01586","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01924","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42354"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-11T14:37:47Z/"}],"url":"https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b"},{"reference_url":"https://github.com/getsentry/sentry/pull/113720","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-11T14:37:47Z/"}],"url":"https://github.com/getsentry/sentry/pull/113720"},{"reference_url":"https://github.com/getsentry/sentry/releases/tag/26.4.1","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-11T14:37:47Z/"}],"url":"https://github.com/getsentry/sentry/releases/tag/26.4.1"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-11T14:37:47Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42354","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42354"},{"reference_url":"https://github.com/advisories/GHSA-rcmw-7mc7-3rj7","reference_id":"GHSA-rcmw-7mc7-3rj7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rcmw-7mc7-3rj7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111179?format=json","purl":"pkg:pypi/sentry@26.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@26.4.1"}],"aliases":["CVE-2026-42354","GHSA-rcmw-7mc7-3rj7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9v4x-4rxd-sfhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56481?format=json","vulnerability_id":"VCID-c1hn-9udz-23ha","summary":"Sentry's improper authentication on SAML SSO process allows user impersonation\nA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.\n\nThe vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-22146","reference_id":"","reference_type":"","scores":[{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.6095","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.68006","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.67991","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.68004","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0054","scoring_system":"epss","scoring_elements":"0.68015","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-22146"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://github.com/getsentry/sentry/commit/6db508f7949d117c7dff748a3c82c3a272bf7cfd","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry/commit/6db508f7949d117c7dff748a3c82c3a272bf7cfd"},{"reference_url":"https://github.com/getsentry/sentry/pull/83407","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-15T20:44:21Z/"}],"url":"https://github.com/getsentry/sentry/pull/83407"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22146","reference_id":"CVE-2025-22146","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22146"},{"reference_url":"https://github.com/advisories/GHSA-7pq6-v88g-wf3w","reference_id":"GHSA-7pq6-v88g-wf3w","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7pq6-v88g-wf3w"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w","reference_id":"GHSA-7pq6-v88g-wf3w","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-15T20:44:21Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83830?format=json","purl":"pkg:pypi/sentry@25.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@25.1.0"}],"aliases":["CVE-2025-22146","GHSA-7pq6-v88g-wf3w"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c1hn-9udz-23ha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45806?format=json","vulnerability_id":"VCID-c9gg-5w97-e3hp","summary":"Improper Authentication\nSentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 23.7.2, an attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credential validation. The client ID must be known and the API application must have already been authorized on the targeted user account. Sentry SaaS customers do not need to take any action. Self-hosted installations should upgrade to version 23.7.2 or higher. There are no direct workarounds, but users should review applications authorized on their account and remove any that are no longer needed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39531","reference_id":"","reference_type":"","scores":[{"value":"0.00153","scoring_system":"epss","scoring_elements":"0.35778","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00153","scoring_system":"epss","scoring_elements":"0.35832","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00153","scoring_system":"epss","scoring_elements":"0.35842","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00153","scoring_system":"epss","scoring_elements":"0.35802","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00153","scoring_system":"epss","scoring_elements":"0.35763","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39531"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39531","reference_id":"CVE-2023-39531","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39531"},{"reference_url":"https://github.com/advisories/GHSA-hgj4-h2x3-rfx4","reference_id":"GHSA-hgj4-h2x3-rfx4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hgj4-h2x3-rfx4"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-hgj4-h2x3-rfx4","reference_id":"GHSA-hgj4-h2x3-rfx4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T15:12:07Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-hgj4-h2x3-rfx4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66487?format=json","purl":"pkg:pypi/sentry@23.7.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@23.7.2"}],"aliases":["CVE-2023-39531","GHSA-hgj4-h2x3-rfx4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c9gg-5w97-e3hp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36497?format=json","vulnerability_id":"VCID-g8t2-9fj3-z7fn","summary":"Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36826","reference_id":"","reference_type":"","scores":[{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40317","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40275","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40261","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40315","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40291","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36826"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T19:25:05Z/"}],"url":"https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9"},{"reference_url":"https://github.com/getsentry/sentry/pull/49680","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T19:25:05Z/"}],"url":"https://github.com/getsentry/sentry/pull/49680"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T19:25:05Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2023-130.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2023-130.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36826","reference_id":"CVE-2023-36826","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36826"},{"reference_url":"https://github.com/advisories/GHSA-m4hc-m2v6-hfw8","reference_id":"GHSA-m4hc-m2v6-hfw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m4hc-m2v6-hfw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35066?format=json","purl":"pkg:pypi/sentry@23.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-377t-5sem-dffh"},{"vulnerability":"VCID-9v4x-4rxd-sfhj"},{"vulnerability":"VCID-ae8m-e7b2-qfcz"},{"vulnerability":"VCID-c1hn-9udz-23ha"},{"vulnerability":"VCID-c9gg-5w97-e3hp"},{"vulnerability":"VCID-ny6p-arhh-vue6"},{"vulnerability":"VCID-qtaw-hjmn-rqe4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@23.5.2"}],"aliases":["CVE-2023-36826","GHSA-m4hc-m2v6-hfw8","PYSEC-2023-130"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g8t2-9fj3-z7fn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55570?format=json","vulnerability_id":"VCID-ny6p-arhh-vue6","summary":"Sentry vulnerable to stored Cross-Site Scripting (XSS)\nAn unsanitized payload sent by an Integration platform integration allows the storage of arbitrary HTML tags on the Sentry side. This payload could subsequently be rendered on the Issues page, creating a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability might lead to the execution of arbitrary scripts in the context of a user’s browser.\n\nSelf-hosted Sentry users may be impacted if untrustworthy Integration platform integrations send external issues to their Sentry instance.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41656","reference_id":"","reference_type":"","scores":[{"value":"0.04185","scoring_system":"epss","scoring_elements":"0.88935","published_at":"2026-06-09T12:55:00Z"},{"value":"0.04185","scoring_system":"epss","scoring_elements":"0.88918","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41656"},{"reference_url":"https://github.com/getsentry/self-hosted/releases/tag/24.7.1","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-24T13:34:14Z/"}],"url":"https://github.com/getsentry/self-hosted/releases/tag/24.7.1"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://github.com/getsentry/sentry/commit/5c679521f1539eabfb81287bfc30f34dbecd373e","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-24T13:34:14Z/"}],"url":"https://github.com/getsentry/sentry/commit/5c679521f1539eabfb81287bfc30f34dbecd373e"},{"reference_url":"https://github.com/getsentry/sentry/pull/74648","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-24T13:34:14Z/"}],"url":"https://github.com/getsentry/sentry/pull/74648"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41656","reference_id":"CVE-2024-41656","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41656"},{"reference_url":"https://github.com/advisories/GHSA-fm88-hc3v-3www","reference_id":"GHSA-fm88-hc3v-3www","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fm88-hc3v-3www"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-fm88-hc3v-3www","reference_id":"GHSA-fm88-hc3v-3www","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-24T13:34:14Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-fm88-hc3v-3www"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82250?format=json","purl":"pkg:pypi/sentry@24.7.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@24.7.1"}],"aliases":["CVE-2024-41656","GHSA-fm88-hc3v-3www"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ny6p-arhh-vue6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45796?format=json","vulnerability_id":"VCID-qtaw-hjmn-rqe4","summary":"Improper Authentication\nSentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on `sentry.io`. For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of `sentry` and `self-hosted`. There are no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39349","reference_id":"","reference_type":"","scores":[{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37152","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37101","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37087","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37126","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37159","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39349"},{"reference_url":"https://github.com/getsentry/self-hosted/releases/tag/23.7.2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-04T18:24:29Z/"}],"url":"https://github.com/getsentry/self-hosted/releases/tag/23.7.2"},{"reference_url":"https://github.com/getsentry/sentry","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getsentry/sentry"},{"reference_url":"https://github.com/getsentry/sentry/commit/fad12c1150d1135edf9666ea72ca11bc110c1083","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-04T18:24:29Z/"}],"url":"https://github.com/getsentry/sentry/commit/fad12c1150d1135edf9666ea72ca11bc110c1083"},{"reference_url":"https://github.com/getsentry/sentry/pull/53850","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-04T18:24:29Z/"}],"url":"https://github.com/getsentry/sentry/pull/53850"},{"reference_url":"https://github.com/getsentry/sentry/releases/tag/23.7.2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-04T18:24:29Z/"}],"url":"https://github.com/getsentry/sentry/releases/tag/23.7.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39349","reference_id":"CVE-2023-39349","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39349"},{"reference_url":"https://github.com/advisories/GHSA-9jcq-jf57-c62c","reference_id":"GHSA-9jcq-jf57-c62c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9jcq-jf57-c62c"},{"reference_url":"https://github.com/getsentry/sentry/security/advisories/GHSA-9jcq-jf57-c62c","reference_id":"GHSA-9jcq-jf57-c62c","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-04T18:24:29Z/"}],"url":"https://github.com/getsentry/sentry/security/advisories/GHSA-9jcq-jf57-c62c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66487?format=json","purl":"pkg:pypi/sentry@23.7.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@23.7.2"}],"aliases":["CVE-2023-39349","GHSA-9jcq-jf57-c62c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qtaw-hjmn-rqe4"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/sentry@23.3.1"}