{"url":"http://public2.vulnerablecode.io/api/packages/434041?format=json","purl":"pkg:npm/webtorrent@0.85.1","type":"npm","namespace":"","name":"webtorrent","version":"0.85.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.107.6","latest_non_vulnerable_version":"0.107.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47712?format=json","vulnerability_id":"VCID-3wva-n1jv-u7h8","summary":"Cross-Site Scripting in webtorrent\nVersions of `webtorrent` prior to 0.107.6 are vulnerable to Cross-Site Scripting. `webtorrent` servers started with `torrent.createServer()` lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.\n\n\n## Recommendation\n\nUpgrade to version 0.107.6 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15782","reference_id":"","reference_type":"","scores":[{"value":"0.00208","scoring_system":"epss","scoring_elements":"0.43116","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15782"},{"reference_url":"https://github.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083"},{"reference_url":"https://github.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6"},{"reference_url":"https://github.com/webtorrent/webtorrent/pull/1714","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webtorrent/webtorrent/pull/1714"},{"reference_url":"https://hackerone.com/reports/681617","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/681617"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15782","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15782"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-WEBTORRENT-460351","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-WEBTORRENT-460351"},{"reference_url":"https://www.npmjs.com/advisories/1158","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1158"},{"reference_url":"https://github.com/advisories/GHSA-gjh4-fcv3-whpq","reference_id":"GHSA-gjh4-fcv3-whpq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gjh4-fcv3-whpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82791?format=json","purl":"pkg:npm/webtorrent@0.107.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webtorrent@0.107.6"}],"aliases":["CVE-2019-15782","GHSA-gjh4-fcv3-whpq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3wva-n1jv-u7h8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webtorrent@0.85.1"}