Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/502620?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/502620?format=api", "purl": "pkg:apk/alpine/asterisk@18.2.1-r0?arch=riscv64&distroversion=edge&reponame=main", "type": "apk", "namespace": "alpine", "name": "asterisk", "version": "18.2.1-r0", "qualifiers": { "arch": "riscv64", "distroversion": "edge", "reponame": "main" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "18.2.2-r2", "latest_non_vulnerable_version": "20.11.1-r0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59047?format=api", "vulnerability_id": "VCID-13m8-y787-fqb7", "summary": "An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26717", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00421", "scoring_system": "epss", "scoring_elements": "0.62346", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00421", "scoring_system": "epss", "scoring_elements": "0.62392", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00421", "scoring_system": "epss", "scoring_elements": "0.624", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00421", "scoring_system": "epss", "scoring_elements": "0.6239", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00421", "scoring_system": "epss", "scoring_elements": "0.62375", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00421", "scoring_system": "epss", "scoring_elements": "0.62389", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26717" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26717", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26717" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983157", "reference_id": "983157", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983157" }, { "reference_url": "https://security.gentoo.org/glsa/202412-03", "reference_id": "GLSA-202412-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202412-03" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/502620?format=api", "purl": "pkg:apk/alpine/asterisk@18.2.1-r0?arch=riscv64&distroversion=edge&reponame=main", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/asterisk@18.2.1-r0%3Farch=riscv64&distroversion=edge&reponame=main" } ], "aliases": [ "CVE-2021-26717" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-13m8-y787-fqb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59045?format=api", "vulnerability_id": "VCID-rrat-247u-fybt", "summary": "Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26712", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02188", "scoring_system": "epss", "scoring_elements": "0.84687", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02188", "scoring_system": "epss", "scoring_elements": "0.84711", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.02188", "scoring_system": "epss", "scoring_elements": "0.84715", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02188", "scoring_system": "epss", "scoring_elements": "0.84709", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.02188", "scoring_system": "epss", "scoring_elements": "0.84697", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26712" }, { "reference_url": "https://security.gentoo.org/glsa/202412-03", "reference_id": "GLSA-202412-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202412-03" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/502620?format=api", "purl": "pkg:apk/alpine/asterisk@18.2.1-r0?arch=riscv64&distroversion=edge&reponame=main", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/asterisk@18.2.1-r0%3Farch=riscv64&distroversion=edge&reponame=main" } ], "aliases": [ "CVE-2021-26712" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rrat-247u-fybt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59046?format=api", "vulnerability_id": "VCID-vdc7-yt4d-ayb2", "summary": "A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6 allows an authenticated WebRTC client to cause an Asterisk crash by sending multiple hold/unhold requests in quick succession. This is caused by a signedness comparison mismatch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26713", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31692", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31762", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31728", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.3169", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31657", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31682", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26713" }, { "reference_url": "https://security.gentoo.org/glsa/202412-03", "reference_id": "GLSA-202412-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202412-03" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/502620?format=api", "purl": "pkg:apk/alpine/asterisk@18.2.1-r0?arch=riscv64&distroversion=edge&reponame=main", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/asterisk@18.2.1-r0%3Farch=riscv64&distroversion=edge&reponame=main" } ], "aliases": [ "CVE-2021-26713" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vdc7-yt4d-ayb2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59050?format=api", "vulnerability_id": "VCID-zk2p-hxmz-yqhb", "summary": "An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through 16.8-cert5. An SDP negotiation vulnerability in PJSIP allows a remote server to potentially crash Asterisk by sending specific SIP responses that cause an SDP negotiation failure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26906", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00811", "scoring_system": "epss", "scoring_elements": "0.74587", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00811", "scoring_system": "epss", "scoring_elements": "0.74618", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00811", "scoring_system": "epss", "scoring_elements": "0.74624", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00811", "scoring_system": "epss", "scoring_elements": "0.74612", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00811", "scoring_system": "epss", "scoring_elements": "0.74595", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00811", "scoring_system": "epss", "scoring_elements": "0.74621", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26906" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26906", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26906" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983159", "reference_id": "983159", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983159" }, { "reference_url": "https://security.gentoo.org/glsa/202412-03", "reference_id": "GLSA-202412-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202412-03" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/502620?format=api", "purl": "pkg:apk/alpine/asterisk@18.2.1-r0?arch=riscv64&distroversion=edge&reponame=main", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/asterisk@18.2.1-r0%3Farch=riscv64&distroversion=edge&reponame=main" } ], "aliases": [ "CVE-2021-26906" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zk2p-hxmz-yqhb" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/asterisk@18.2.1-r0%3Farch=riscv64&distroversion=edge&reponame=main" }