Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/377866?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/377866?format=api", "purl": "pkg:npm/vue-i18n@9.14.3", "type": "npm", "namespace": "", "name": "vue-i18n", "version": "9.14.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.14.5", "latest_non_vulnerable_version": "12.0.0-alpha.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105776?format=api", "vulnerability_id": "VCID-gd4n-e4q3-mufa", "summary": "Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00586", "scoring_system": "epss", "scoring_elements": "0.69573", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00586", "scoring_system": "epss", "scoring_elements": "0.69674", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00586", "scoring_system": "epss", "scoring_elements": "0.69676", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00586", "scoring_system": "epss", "scoring_elements": "0.69663", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53892" }, { "reference_url": "https://github.com/intlify/vue-i18n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53892", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53892" }, { "reference_url": "https://github.com/intlify/vue-i18n/pull/2229", "reference_id": "2229", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/pull/2229" }, { "reference_url": "https://github.com/intlify/vue-i18n/pull/2230", "reference_id": "2230", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/pull/2230" }, { "reference_url": "https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e", "reference_id": "49f982443ab8fd94ecc427b265ce97d57df94d7e", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e" }, { "reference_url": "https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099", "reference_id": "a47099619fb9b256e86341a8658ebe72e92ab099", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099" }, { "reference_url": "https://github.com/advisories/GHSA-x8qp-wqqm-57ph", "reference_id": "GHSA-x8qp-wqqm-57ph", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x8qp-wqqm-57ph" }, { "reference_url": "https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph", "reference_id": "GHSA-x8qp-wqqm-57ph", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph" }, { "reference_url": "https://github.com/intlify/vue-i18n/releases/tag/v10.0.8", "reference_id": "v10.0.8", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/releases/tag/v10.0.8" }, { "reference_url": "https://github.com/intlify/vue-i18n/releases/tag/v11.1.10", "reference_id": "v11.1.10", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/releases/tag/v11.1.10" }, { "reference_url": "https://github.com/intlify/vue-i18n/releases/tag/v9.14.5", "reference_id": "v9.14.5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-22T14:58:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/releases/tag/v9.14.5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378449?format=api", "purl": "pkg:npm/vue-i18n@9.14.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@9.14.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/785608?format=api", "purl": "pkg:npm/vue-i18n@10.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-rnpx-k35u-uqd2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@10.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/378450?format=api", "purl": "pkg:npm/vue-i18n@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@10.0.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/785620?format=api", "purl": "pkg:npm/vue-i18n@11.0.0-beta.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-rnpx-k35u-uqd2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@11.0.0-beta.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/378451?format=api", "purl": "pkg:npm/vue-i18n@11.1.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@11.1.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/817487?format=api", "purl": "pkg:npm/vue-i18n@12.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@12.0.0-alpha.1" } ], "aliases": [ "CVE-2025-53892", "GHSA-x8qp-wqqm-57ph" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gd4n-e4q3-mufa" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/117330?format=api", "vulnerability_id": "VCID-rnpx-k35u-uqd2", "summary": "Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27597", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39717", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39702", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39727", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00181", "scoring_system": "epss", "scoring_elements": "0.39532", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27597" }, { "reference_url": "https://github.com/intlify/vue-i18n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n" }, { "reference_url": "https://github.com/intlify/vue-i18n/commit/d21e06a7440eed8ada7f522b22fcf830b98d3a53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n/commit/d21e06a7440eed8ada7f522b22fcf830b98d3a53" }, { "reference_url": "https://github.com/intlify/vue-i18n/commit/fbda9988d3ddd3a1a21740d506d2c183d6b6e36a", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n/commit/fbda9988d3ddd3a1a21740d506d2c183d6b6e36a" }, { "reference_url": "https://github.com/intlify/vue-i18n/commit/feaf13fcff427f2cb1d5ec8076e639506ba28f9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n/commit/feaf13fcff427f2cb1d5ec8076e639506ba28f9e" }, { "reference_url": "https://github.com/intlify/vue-i18n/releases/tag/v10.0.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n/releases/tag/v10.0.6" }, { "reference_url": "https://github.com/intlify/vue-i18n/releases/tag/v11.1.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n/releases/tag/v11.1.2" }, { "reference_url": "https://github.com/intlify/vue-i18n/releases/tag/v9.14.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/intlify/vue-i18n/releases/tag/v9.14.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27597", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27597" }, { "reference_url": "https://github.com/intlify/vue-i18n/commit/4bb6eacda7fc2cde5687549afa0efb27ca40862a", "reference_id": "4bb6eacda7fc2cde5687549afa0efb27ca40862a", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-07T17:59:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/commit/4bb6eacda7fc2cde5687549afa0efb27ca40862a" }, { "reference_url": "https://github.com/advisories/GHSA-p2ph-7g93-hw3m", "reference_id": "GHSA-p2ph-7g93-hw3m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p2ph-7g93-hw3m" }, { "reference_url": "https://github.com/intlify/vue-i18n/security/advisories/GHSA-p2ph-7g93-hw3m", "reference_id": "GHSA-p2ph-7g93-hw3m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-07T17:59:31Z/" } ], "url": "https://github.com/intlify/vue-i18n/security/advisories/GHSA-p2ph-7g93-hw3m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377866?format=api", "purl": "pkg:npm/vue-i18n@9.14.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gd4n-e4q3-mufa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@9.14.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/377871?format=api", "purl": "pkg:npm/vue-i18n@10.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gd4n-e4q3-mufa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@10.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/377872?format=api", "purl": "pkg:npm/vue-i18n@11.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gd4n-e4q3-mufa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@11.1.2" } ], "aliases": [ "CVE-2025-27597", "GHSA-p2ph-7g93-hw3m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rnpx-k35u-uqd2" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vue-i18n@9.14.3" }