Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/pagefind@1.0.2
Typenpm
Namespace
Namepagefind
Version1.0.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.1.1
Latest_non_vulnerable_version1.1.1
Affected_by_vulnerabilities
0
url VCID-rn6m-y5hx-c7de
vulnerability_id VCID-rn6m-y5hx-c7de
summary 
DOM clobbering could escalate to Cross-site Scripting (XSS)
Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`.

It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:
```html
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>
```

This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies.

This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector.

Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45389
reference_id
reference_type
scores
0
value 0.01215
scoring_system epss
scoring_elements 0.79377
published_at 2026-06-09T12:55:00Z
1
value 0.01215
scoring_system epss
scoring_elements 0.79359
published_at 2026-06-08T12:55:00Z
2
value 0.01215
scoring_system epss
scoring_elements 0.79369
published_at 2026-06-07T12:55:00Z
3
value 0.01215
scoring_system epss
scoring_elements 0.79376
published_at 2026-06-06T12:55:00Z
4
value 0.01215
scoring_system epss
scoring_elements 0.79371
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45389
1
reference_url https://github.com/CloudCannon/pagefind
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/CloudCannon/pagefind
2
reference_url https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/
url https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45389
reference_id CVE-2024-45389
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45389
4
reference_url https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
reference_id GHSA-4vvj-4cpr-p986
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/
url https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
5
reference_url https://github.com/advisories/GHSA-gprj-6m2f-j9hx
reference_id GHSA-gprj-6m2f-j9hx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gprj-6m2f-j9hx
6
reference_url https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx
reference_id GHSA-gprj-6m2f-j9hx
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:02:11Z/
url https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx
fixed_packages
0
url pkg:npm/pagefind@1.1.1
purl pkg:npm/pagefind@1.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/pagefind@1.1.1
aliases CVE-2024-45389, GHSA-gprj-6m2f-j9hx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rn6m-y5hx-c7de
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/pagefind@1.0.2