Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye

Type deb

Namespace debian

Name golang-github-labstack-echo.v3

Version 3.3.10-1

Qualifiers

distro	bullseye

Subpath

Is_vulnerable false

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-3392-7uhn-xbff

vulnerability_id VCID-3392-7uhn-xbff

summary Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25766

reference_id

reference_type

scores

value	0.00068
scoring_system	epss
scoring_elements	0.21031
published_at	2026-06-11T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21227
published_at	2026-06-13T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.2121
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25766

reference_url

https://github.com/labstack/echo

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25766

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25766

reference_url

https://pkg.go.dev/vuln/GO-2026-4502

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pkg.go.dev/vuln/GO-2026-4502

reference_url

https://github.com/labstack/echo/pull/2891

reference_id

2891

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T19:45:33Z/

url

https://github.com/labstack/echo/pull/2891

reference_url

https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1

reference_id

b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T19:45:33Z/

url

https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1

reference_url

https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9

reference_id

GHSA-pgvm-wxw2-hrv9

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T19:45:33Z/

url

https://github.com/labstack/echo/security/advisories/GHSA-pgvm-wxw2-hrv9

fixed_packages

url	pkg:deb/debian/golang-github-labstack-echo.v3@0?distro=bullseye
purl	pkg:deb/debian/golang-github-labstack-echo.v3@0?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@0%3Fdistro=bullseye

url	pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye
purl	pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1%3Fdistro=bullseye

aliases CVE-2026-25766, GHSA-pgvm-wxw2-hrv9

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3392-7uhn-xbff

url VCID-3uh2-1qh8-n7c7

vulnerability_id VCID-3uh2-1qh8-n7c7

summary Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-36565

reference_id

reference_type

scores

value	0.00295
scoring_system	epss
scoring_elements	0.53146
published_at	2026-06-11T12:55:00Z

value	0.00295
scoring_system	epss
scoring_elements	0.53289
published_at	2026-06-13T12:55:00Z

value	0.00295
scoring_system	epss
scoring_elements	0.53273
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-36565

reference_url

https://github.com/labstack/echo

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-36565

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-36565

reference_url

https://github.com/labstack/echo/pull/1718

reference_id

1718

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:38:06Z/

url

https://github.com/labstack/echo/pull/1718

reference_url

https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

reference_id

4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:38:06Z/

url

https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

reference_url

https://pkg.go.dev/vuln/GO-2021-0051

reference_id

GO-2021-0051

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:38:06Z/

url

https://pkg.go.dev/vuln/GO-2021-0051

fixed_packages

url	pkg:deb/debian/golang-github-labstack-echo.v3@0?distro=bullseye
purl	pkg:deb/debian/golang-github-labstack-echo.v3@0?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@0%3Fdistro=bullseye

url	pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye
purl	pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1%3Fdistro=bullseye

aliases CVE-2020-36565, GHSA-j453-hm5x-c46w

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3uh2-1qh8-n7c7

url VCID-ys5t-g5g6-2fg3

vulnerability_id VCID-ys5t-g5g6-2fg3

summary Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-40083

reference_id

reference_type

scores

value	0.58765
scoring_system	epss
scoring_elements	0.98262
published_at	2026-06-13T12:55:00Z

value	0.58765
scoring_system	epss
scoring_elements	0.98255
published_at	2026-06-11T12:55:00Z

value	0.58765
scoring_system	epss
scoring_elements	0.98261
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-40083

reference_url

https://github.com/labstack/echo

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo

reference_url

https://github.com/labstack/echo/commit/0ac4d74402391912ff6da733bb09fd4c3980b4e1

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo/commit/0ac4d74402391912ff6da733bb09fd4c3980b4e1

reference_url

https://github.com/labstack/echo/pull/2260

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo/pull/2260

reference_url

https://github.com/labstack/echo/pull/2260/commits/3154abd1401554fe4d1c09ec550506d8625fc042

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo/pull/2260/commits/3154abd1401554fe4d1c09ec550506d8625fc042

reference_url

https://github.com/labstack/echo/releases/tag/v4.9.0

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/labstack/echo/releases/tag/v4.9.0

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-40083

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-40083

reference_url

https://pkg.go.dev/vuln/GO-2022-1031

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://pkg.go.dev/vuln/GO-2022-1031

reference_url

https://github.com/labstack/echo/issues/2259

reference_id

2259

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-21T14:38:34Z/

url

https://github.com/labstack/echo/issues/2259

fixed_packages

url	pkg:deb/debian/golang-github-labstack-echo.v3@0?distro=bullseye
purl	pkg:deb/debian/golang-github-labstack-echo.v3@0?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@0%3Fdistro=bullseye

url	pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye
purl	pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1%3Fdistro=bullseye

aliases CVE-2022-40083, GHSA-crxj-hrmp-4rwf

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ys5t-g5g6-2fg3

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-labstack-echo.v3@3.3.10-1%3Fdistro=bullseye

Package Instance