{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","type":"maven","namespace":"org.apache.dubbo","name":"dubbo","version":"2.7.13","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.7.21","latest_non_vulnerable_version":"3.2.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42021?format=json","vulnerability_id":"VCID-9ngc-j571-m3ck","summary":"Deserialization of Untrusted Data\nA deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43297","reference_id":"","reference_type":"","scores":[{"value":"0.46296","scoring_system":"epss","scoring_elements":"0.97717","published_at":"2026-06-07T12:55:00Z"},{"value":"0.46296","scoring_system":"epss","scoring_elements":"0.97712","published_at":"2026-06-04T12:55:00Z"},{"value":"0.46296","scoring_system":"epss","scoring_elements":"0.97716","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43297"},{"reference_url":"https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43297","reference_id":"CVE-2021-43297","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43297"},{"reference_url":"https://github.com/advisories/GHSA-vp5x-3v8r-qprw","reference_id":"GHSA-vp5x-3v8r-qprw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vp5x-3v8r-qprw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60096?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15"},{"url":"http://public2.vulnerablecode.io/api/packages/60097?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.5"}],"aliases":["CVE-2021-43297","GHSA-vp5x-3v8r-qprw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ngc-j571-m3ck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/108845?format=json","vulnerability_id":"VCID-ahzf-whmw-aue3","summary":"Hessian Lite for Apache Dubbo deserialization vulnerability\nA deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39198","reference_id":"","reference_type":"","scores":[{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93335","published_at":"2026-06-06T12:55:00Z"},{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93333","published_at":"2026-06-07T12:55:00Z"},{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93323","published_at":"2026-06-04T12:55:00Z"},{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93334","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39198"},{"reference_url":"https://github.com/apache/dubbo-hessian-lite","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo-hessian-lite"},{"reference_url":"https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1"},{"reference_url":"https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-13T14:48:24Z/"}],"url":"https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39198","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39198"},{"reference_url":"https://github.com/advisories/GHSA-5qwq-g2hx-r6f7","reference_id":"GHSA-5qwq-g2hx-r6f7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5qwq-g2hx-r6f7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145003?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.18"},{"url":"http://public2.vulnerablecode.io/api/packages/145005?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/145008?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4cur-ezpv-k7fx"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.1"}],"aliases":["CVE-2022-39198","GHSA-5qwq-g2hx-r6f7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ahzf-whmw-aue3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44630?format=json","vulnerability_id":"VCID-f4ha-rjpx-yfgb","summary":"Deserialization of Untrusted Data\nA deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23638","reference_id":"","reference_type":"","scores":[{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97891","published_at":"2026-06-05T12:55:00Z"},{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97893","published_at":"2026-06-07T12:55:00Z"},{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97892","published_at":"2026-06-06T12:55:00Z"},{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97887","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23638"},{"reference_url":"https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T16:41:19Z/"}],"url":"https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23638","reference_id":"CVE-2023-23638","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23638"},{"reference_url":"https://github.com/advisories/GHSA-933g-v89r-x8pf","reference_id":"GHSA-933g-v89r-x8pf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-933g-v89r-x8pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64254?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.21"},{"url":"http://public2.vulnerablecode.io/api/packages/137669?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.22"},{"url":"http://public2.vulnerablecode.io/api/packages/64255?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/64256?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3byz-42xs-3khg"},{"vulnerability":"VCID-4cur-ezpv-k7fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.5"}],"aliases":["CVE-2023-23638","GHSA-933g-v89r-x8pf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ha-rjpx-yfgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110635?format=json","vulnerability_id":"VCID-m7ca-pdzs-2yfd","summary":"Server-side request forgery in Apache Dubbo\nbypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24969","reference_id":"","reference_type":"","scores":[{"value":"0.02387","scoring_system":"epss","scoring_elements":"0.85299","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02387","scoring_system":"epss","scoring_elements":"0.85328","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02387","scoring_system":"epss","scoring_elements":"0.85322","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24969"},{"reference_url":"https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24969","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24969"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25640","reference_id":"CVE-2021-25640","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25640"},{"reference_url":"https://github.com/advisories/GHSA-gm48-83x4-84jg","reference_id":"GHSA-gm48-83x4-84jg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gm48-83x4-84jg"},{"reference_url":"https://github.com/advisories/GHSA-gw4j-4229-q4px","reference_id":"GHSA-gw4j-4229-q4px","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gw4j-4229-q4px"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60096?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15"}],"aliases":["CVE-2022-24969","GHSA-gm48-83x4-84jg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m7ca-pdzs-2yfd"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41430?format=json","vulnerability_id":"VCID-dj6s-gcjj-nuhr","summary":"Deserialization of Untrusted Data\nIn Apache Dubbo, users may choose to use the Hessian protocol.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36163","reference_id":"","reference_type":"","scores":[{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.79314","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.79338","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.79345","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.7934","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36163"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://github.com/apache/dubbo/pull/8238","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/pull/8238"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13"},{"reference_url":"https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36163","reference_id":"CVE-2021-36163","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36163"},{"reference_url":"https://github.com/advisories/GHSA-cpx9-4rwv-486v","reference_id":"GHSA-cpx9-4rwv-486v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpx9-4rwv-486v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/141182?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.6.10.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/58931?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2"}],"aliases":["CVE-2021-36163","GHSA-cpx9-4rwv-486v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dj6s-gcjj-nuhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41449?format=json","vulnerability_id":"VCID-h5n6-nuyj-dkcc","summary":"Deserialization of Untrusted Data\nThe Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37579","reference_id":"","reference_type":"","scores":[{"value":"0.02891","scoring_system":"epss","scoring_elements":"0.86582","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02891","scoring_system":"epss","scoring_elements":"0.866","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02891","scoring_system":"epss","scoring_elements":"0.86605","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37579"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37579","reference_id":"CVE-2021-37579","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37579"},{"reference_url":"https://github.com/advisories/GHSA-q897-9jxf-jg9r","reference_id":"GHSA-q897-9jxf-jg9r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q897-9jxf-jg9r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/58931?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2"}],"aliases":["CVE-2021-37579","GHSA-q897-9jxf-jg9r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5n6-nuyj-dkcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41450?format=json","vulnerability_id":"VCID-psmu-bqpc-tkah","summary":"Use of Externally-Controlled Format String\nA component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36161","reference_id":"","reference_type":"","scores":[{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.86238","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.86258","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.86261","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.8626","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36161"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36161","reference_id":"CVE-2021-36161","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36161"},{"reference_url":"https://github.com/advisories/GHSA-qvm7-23cj-437v","reference_id":"GHSA-qvm7-23cj-437v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvm7-23cj-437v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"}],"aliases":["CVE-2021-36161","GHSA-qvm7-23cj-437v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-psmu-bqpc-tkah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41433?format=json","vulnerability_id":"VCID-q32t-bhzw-kygq","summary":"Code Injection\nApache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36162","reference_id":"","reference_type":"","scores":[{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77505","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77496","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77469","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36162"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36162","reference_id":"CVE-2021-36162","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36162"},{"reference_url":"https://github.com/advisories/GHSA-r577-4hq7-73qh","reference_id":"GHSA-r577-4hq7-73qh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r577-4hq7-73qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/58931?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2"}],"aliases":["CVE-2021-36162","GHSA-r577-4hq7-73qh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q32t-bhzw-kygq"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"}