Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/518027?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/518027?format=api", "purl": "pkg:deb/debian/leptonlib@1.71-2.1", "type": "deb", "namespace": "debian", "name": "leptonlib", "version": "1.71-2.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.79.0-1.1+deb11u1", "latest_non_vulnerable_version": "1.79.0-1.1+deb11u1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75270?format=api", "vulnerability_id": "VCID-1rnj-xbph-afd9", "summary": "An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function does not block '/' characters in the gplot rootname argument, potentially leading to path traversal and arbitrary file overwrite.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7442", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42347", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42422", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42433", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42406", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42372", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42382", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7442" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7442" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898439", "reference_id": "898439", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898439" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2018-7442" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1rnj-xbph-afd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75268?format=api", "vulnerability_id": "VCID-58uu-hzmb-gkdf", "summary": "An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function allows command injection via a $(command) approach in the gplot rootname argument. This issue exists because of an incomplete fix for CVE-2018-3836.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7440", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01791", "scoring_system": "epss", "scoring_elements": "0.83093", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01791", "scoring_system": "epss", "scoring_elements": "0.8312", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01791", "scoring_system": "epss", "scoring_elements": "0.83116", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01791", "scoring_system": "epss", "scoring_elements": "0.83109", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01791", "scoring_system": "epss", "scoring_elements": "0.83121", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7440" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7440", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7440" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891932", "reference_id": "891932", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891932" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2018-7440" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-58uu-hzmb-gkdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54177?format=api", "vulnerability_id": "VCID-9ntb-5c2a-8uhy", "summary": "Out-of-bounds Read\nLeptonica allows a heap-based buffer over-read in `pixReadFromTiffStream`, related to `tiffio.c`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36280", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82903", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.8293", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82929", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82926", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82918", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82931", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36280" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36280", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36280" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089", "reference_id": "985089", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36280", "reference_id": "CVE-2020-36280", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36280" }, { "reference_url": "https://security.gentoo.org/glsa/202107-53", "reference_id": "GLSA-202107-53", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202107-53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/553312?format=api", "purl": "pkg:deb/debian/leptonlib@1.79.0-1.1%2Bdeb11u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.79.0-1.1%252Bdeb11u1" } ], "aliases": [ "CVE-2020-36280" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ntb-5c2a-8uhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75271?format=api", "vulnerability_id": "VCID-a2de-6vw3-suey", "summary": "An issue in the Leptonica linked library (v1.79.0) allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38266.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38266.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-38266", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54261", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54318", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54327", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54315", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54293", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54314", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-38266" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38266", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38266" }, { "reference_url": "https://github.com/DanBloomberg/leptonica/commit/f062b42c0ea8dddebdc6a152fd16152de215d614", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/DanBloomberg/leptonica/commit/f062b42c0ea8dddebdc6a152fd16152de215d614" }, { "reference_url": "https://github.com/tesseract-ocr/tesseract/issues/3498", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/tesseract-ocr/tesseract/issues/3498" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00018.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00018.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132556", "reference_id": "2132556", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132556" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38266", "reference_id": "CVE-2022-38266", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38266" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/553312?format=api", "purl": "pkg:deb/debian/leptonlib@1.79.0-1.1%2Bdeb11u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.79.0-1.1%252Bdeb11u1" } ], "aliases": [ "CVE-2022-38266" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a2de-6vw3-suey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75265?format=api", "vulnerability_id": "VCID-ad8n-e81g-v7eb", "summary": "An exploitable command injection vulnerability exists in the gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3836", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32396", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32468", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32436", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32397", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32368", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.3239", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3836" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3836", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3836" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889759", "reference_id": "889759", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889759" }, { "reference_url": "https://usn.ubuntu.com/USN-4819-1/", "reference_id": "USN-USN-4819-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-4819-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2018-3836" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ad8n-e81g-v7eb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75266?format=api", "vulnerability_id": "VCID-ey2r-cgfc-rkf6", "summary": "Leptonica before 1.75.3 does not limit the number of characters in a %s format argument to fscanf or sscanf, which allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a long string, as demonstrated by the gplotRead and ptaReadStream functions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7186", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03118", "scoring_system": "epss", "scoring_elements": "0.87079", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03118", "scoring_system": "epss", "scoring_elements": "0.87101", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.03118", "scoring_system": "epss", "scoring_elements": "0.87099", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.03118", "scoring_system": "epss", "scoring_elements": "0.87094", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.03118", "scoring_system": "epss", "scoring_elements": "0.8709", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7186" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7186", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7186" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890548", "reference_id": "890548", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890548" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" }, { "reference_url": "https://usn.ubuntu.com/USN-4819-1/", "reference_id": "USN-USN-4819-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-4819-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2018-7186" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ey2r-cgfc-rkf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54165?format=api", "vulnerability_id": "VCID-f6m7-jffv-n7b2", "summary": "Out-of-bounds Read\nLeptonica allows a heap-based buffer over-read in `rasteropGeneralLow`, related to `adaptmap_reg.c` and `adaptmap.c`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36279", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04251", "scoring_system": "epss", "scoring_elements": "0.88994", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04251", "scoring_system": "epss", "scoring_elements": "0.89011", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.04251", "scoring_system": "epss", "scoring_elements": "0.89012", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.04251", "scoring_system": "epss", "scoring_elements": "0.89028", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36279" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36279", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36279" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089", "reference_id": "985089", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36279", "reference_id": "CVE-2020-36279", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36279" }, { "reference_url": "https://security.gentoo.org/glsa/202107-53", "reference_id": "GLSA-202107-53", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202107-53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/553312?format=api", "purl": "pkg:deb/debian/leptonlib@1.79.0-1.1%2Bdeb11u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.79.0-1.1%252Bdeb11u1" } ], "aliases": [ "CVE-2020-36279" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f6m7-jffv-n7b2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54160?format=api", "vulnerability_id": "VCID-g5x5-uxdq-gfbt", "summary": "Always-Incorrect Control Flow Implementation\nLeptonica allows a denial of service (application crash) via an incorrect left shift in `pixConvert2To8` in `pixconv.c`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36277", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04001", "scoring_system": "epss", "scoring_elements": "0.88637", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04001", "scoring_system": "epss", "scoring_elements": "0.88655", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.04001", "scoring_system": "epss", "scoring_elements": "0.88656", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.04001", "scoring_system": "epss", "scoring_elements": "0.88654", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.04001", "scoring_system": "epss", "scoring_elements": "0.88671", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36277" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36277", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36277" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089", "reference_id": "985089", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36277", "reference_id": "CVE-2020-36277", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36277" }, { "reference_url": "https://security.gentoo.org/glsa/202107-53", "reference_id": "GLSA-202107-53", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202107-53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/553312?format=api", "purl": "pkg:deb/debian/leptonlib@1.79.0-1.1%2Bdeb11u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.79.0-1.1%252Bdeb11u1" } ], "aliases": [ "CVE-2020-36277" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g5x5-uxdq-gfbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54170?format=api", "vulnerability_id": "VCID-hh6e-vnn6-vug2", "summary": "Out-of-bounds Read\nLeptonica allows a heap-based buffer over-read in `findNextBorderPixel` in `ccbord.c`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36278", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00538", "scoring_system": "epss", "scoring_elements": "0.67919", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00538", "scoring_system": "epss", "scoring_elements": "0.67958", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00538", "scoring_system": "epss", "scoring_elements": "0.67966", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00538", "scoring_system": "epss", "scoring_elements": "0.67956", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00538", "scoring_system": "epss", "scoring_elements": "0.67943", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36278" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36278", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36278" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089", "reference_id": "985089", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36278", "reference_id": "CVE-2020-36278", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36278" }, { "reference_url": "https://security.gentoo.org/glsa/202107-53", "reference_id": "GLSA-202107-53", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202107-53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/553312?format=api", "purl": "pkg:deb/debian/leptonlib@1.79.0-1.1%2Bdeb11u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.79.0-1.1%252Bdeb11u1" } ], "aliases": [ "CVE-2020-36278" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hh6e-vnn6-vug2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54180?format=api", "vulnerability_id": "VCID-m6qf-9k8h-y3fy", "summary": "Out-of-bounds Read\nLeptonica allows a heap-based buffer over-read in `pixFewColorsOctcubeQuantMixed` in `colorquant1.c`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36281", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00506", "scoring_system": "epss", "scoring_elements": "0.66592", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00506", "scoring_system": "epss", "scoring_elements": "0.66632", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00506", "scoring_system": "epss", "scoring_elements": "0.66639", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00506", "scoring_system": "epss", "scoring_elements": "0.66625", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00506", "scoring_system": "epss", "scoring_elements": "0.66609", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00506", "scoring_system": "epss", "scoring_elements": "0.66627", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36281" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36281", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36281" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089", "reference_id": "985089", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985089" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36281", "reference_id": "CVE-2020-36281", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36281" }, { "reference_url": "https://security.gentoo.org/glsa/202107-53", "reference_id": "GLSA-202107-53", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202107-53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/553312?format=api", "purl": "pkg:deb/debian/leptonlib@1.79.0-1.1%2Bdeb11u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.79.0-1.1%252Bdeb11u1" } ], "aliases": [ "CVE-2020-36281" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m6qf-9k8h-y3fy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75267?format=api", "vulnerability_id": "VCID-pzmc-5fp3-j3fz", "summary": "An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in Leptonica before 1.75.3. Unsanitized input (rootname) can overflow a buffer, leading potentially to arbitrary code execution or possibly unspecified other impact.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60632", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.6068", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60688", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60677", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.6066", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60676", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7247" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7247" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" }, { "reference_url": "https://usn.ubuntu.com/USN-5143-1/", "reference_id": "USN-USN-5143-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5143-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2018-7247" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pzmc-5fp3-j3fz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75269?format=api", "vulnerability_id": "VCID-rcy9-yq1w-ubdx", "summary": "Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might allow local users to overwrite arbitrary files or have unspecified other impact by creating files in advance or winning a race condition, as demonstrated by /tmp/junk_split_image.ps in prog/splitimage2pdf.c.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7441", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14457", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14528", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14532", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14492", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14405", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14425", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7441" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7441", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7441" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2018-7441" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rcy9-yq1w-ubdx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75264?format=api", "vulnerability_id": "VCID-xy9u-crnd-pfas", "summary": "Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13498", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13579", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13585", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13543", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13457", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13488", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18196" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18196", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18196" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885704", "reference_id": "885704", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885704" }, { "reference_url": "https://security.gentoo.org/glsa/202312-01", "reference_id": "GLSA-202312-01", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202312-01" }, { "reference_url": "https://usn.ubuntu.com/USN-4819-1/", "reference_id": "USN-USN-4819-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-4819-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/518030?format=api", "purl": "pkg:deb/debian/leptonlib@1.76.0-1%2Bdeb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ntb-5c2a-8uhy" }, { "vulnerability": "VCID-a2de-6vw3-suey" }, { "vulnerability": "VCID-f6m7-jffv-n7b2" }, { "vulnerability": "VCID-g5x5-uxdq-gfbt" }, { "vulnerability": "VCID-hh6e-vnn6-vug2" }, { "vulnerability": "VCID-m6qf-9k8h-y3fy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.76.0-1%252Bdeb10u1" } ], "aliases": [ "CVE-2017-18196" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xy9u-crnd-pfas" } ], "fixing_vulnerabilities": [], "risk_score": "2.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/leptonlib@1.71-2.1" }