{"url":"http://public2.vulnerablecode.io/api/packages/544605?format=json","purl":"pkg:npm/%40plone/volto@14.0.0-alpha.30","type":"npm","namespace":"@plone","name":"volto","version":"14.0.0-alpha.30","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"16.34.1","latest_non_vulnerable_version":"19.0.0-alpha.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93776?format=json","vulnerability_id":"VCID-4eux-yfky-2yc2","summary":"Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58047","reference_id":"","reference_type":"","scores":[{"value":"0.00171","scoring_system":"epss","scoring_elements":"0.38192","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58047"},{"reference_url":"https://github.com/plone/volto","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/volto"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58047","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58047"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/08/28/3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/08/28/3"},{"reference_url":"https://github.com/plone/volto/releases/tag/16.34.0","reference_id":"16.34.0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:35:47Z/"}],"url":"https://github.com/plone/volto/releases/tag/16.34.0"},{"reference_url":"https://github.com/plone/volto/releases/tag/17.22.1","reference_id":"17.22.1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:35:47Z/"}],"url":"https://github.com/plone/volto/releases/tag/17.22.1"},{"reference_url":"https://github.com/plone/volto/releases/tag/18.24.0","reference_id":"18.24.0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:35:47Z/"}],"url":"https://github.com/plone/volto/releases/tag/18.24.0"},{"reference_url":"https://github.com/plone/volto/releases/tag/19.0.0-alpha.4","reference_id":"19.0.0-alpha.4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:35:47Z/"}],"url":"https://github.com/plone/volto/releases/tag/19.0.0-alpha.4"},{"reference_url":"https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a","reference_id":"2789a287ac45ad9039fb9161d465ba13241fff0a","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:35:47Z/"}],"url":"https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a"},{"reference_url":"https://github.com/advisories/GHSA-xjhf-7833-3pm5","reference_id":"GHSA-xjhf-7833-3pm5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xjhf-7833-3pm5"},{"reference_url":"https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5","reference_id":"GHSA-xjhf-7833-3pm5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:35:47Z/"}],"url":"https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377787?format=json","purl":"pkg:npm/%40plone/volto@16.34.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ag4n-qppy-1fhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@16.34.0"},{"url":"http://public2.vulnerablecode.io/api/packages/377788?format=json","purl":"pkg:npm/%40plone/volto@17.22.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ag4n-qppy-1fhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@17.22.1"},{"url":"http://public2.vulnerablecode.io/api/packages/377789?format=json","purl":"pkg:npm/%40plone/volto@18.24.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ag4n-qppy-1fhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@18.24.0"},{"url":"http://public2.vulnerablecode.io/api/packages/377790?format=json","purl":"pkg:npm/%40plone/volto@19.0.0-alpha.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ag4n-qppy-1fhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@19.0.0-alpha.4"}],"aliases":["CVE-2025-58047","GHSA-xjhf-7833-3pm5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4eux-yfky-2yc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127891?format=json","vulnerability_id":"VCID-ag4n-qppy-1fhq","summary":"Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61668","reference_id":"","reference_type":"","scores":[{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29711","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61668"},{"reference_url":"https://github.com/plone/volto","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/volto"},{"reference_url":"https://github.com/plone/volto/releases/tag/16.34.1","reference_id":"16.34.1","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/releases/tag/16.34.1"},{"reference_url":"https://github.com/plone/volto/releases/tag/17.22.2","reference_id":"17.22.2","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/releases/tag/17.22.2"},{"reference_url":"http://github.com/plone/volto/releases/tag/18.27.2","reference_id":"18.27.2","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"http://github.com/plone/volto/releases/tag/18.27.2"},{"reference_url":"https://github.com/plone/volto/releases/tag/19.0.0-alpha.6","reference_id":"19.0.0-alpha.6","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/releases/tag/19.0.0-alpha.6"},{"reference_url":"https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c","reference_id":"58d9f82d2d50ca9a87edbe16fed91762e57c109c","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/commit/58d9f82d2d50ca9a87edbe16fed91762e57c109c"},{"reference_url":"https://github.com/plone/volto/pull/7412","reference_id":"7412","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/pull/7412"},{"reference_url":"https://github.com/plone/volto/pull/7413","reference_id":"7413","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/pull/7413"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61668","reference_id":"CVE-2025-61668","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61668"},{"reference_url":"https://github.com/advisories/GHSA-m8rj-ppph-mj33","reference_id":"GHSA-m8rj-ppph-mj33","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m8rj-ppph-mj33"},{"reference_url":"https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33","reference_id":"GHSA-m8rj-ppph-mj33","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-03T13:37:13Z/"}],"url":"https://github.com/plone/volto/security/advisories/GHSA-m8rj-ppph-mj33"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34034?format=json","purl":"pkg:npm/%40plone/volto@16.34.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@16.34.1"},{"url":"http://public2.vulnerablecode.io/api/packages/34033?format=json","purl":"pkg:npm/%40plone/volto@17.22.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@17.22.2"},{"url":"http://public2.vulnerablecode.io/api/packages/34031?format=json","purl":"pkg:npm/%40plone/volto@18.27.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@18.27.2"},{"url":"http://public2.vulnerablecode.io/api/packages/34036?format=json","purl":"pkg:npm/%40plone/volto@19.0.0-alpha.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@19.0.0-alpha.6"}],"aliases":["CVE-2025-61668","GHSA-m8rj-ppph-mj33"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ag4n-qppy-1fhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173324?format=json","vulnerability_id":"VCID-vc33-21p7-nfc2","summary":"Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24740","reference_id":"","reference_type":"","scores":[{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49537","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24740"},{"reference_url":"https://github.com/plone/volto","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/plone/volto"},{"reference_url":"https://github.com/plone/volto/pull/3051","reference_id":"3051","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:02Z/"}],"url":"https://github.com/plone/volto/pull/3051"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24740","reference_id":"CVE-2022-24740","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24740"},{"reference_url":"https://github.com/advisories/GHSA-cfhh-xgwq-5r67","reference_id":"GHSA-cfhh-xgwq-5r67","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfhh-xgwq-5r67"},{"reference_url":"https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67","reference_id":"GHSA-cfhh-xgwq-5r67","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:02Z/"}],"url":"https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19692?format=json","purl":"pkg:npm/%40plone/volto@15.0.0-alpha.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4eux-yfky-2yc2"},{"vulnerability":"VCID-ag4n-qppy-1fhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@15.0.0-alpha.0"}],"aliases":["CVE-2022-24740","GHSA-cfhh-xgwq-5r67"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vc33-21p7-nfc2"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540plone/volto@14.0.0-alpha.30"}