Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/sulu/sulu@2.0.0-alpha4
Typecomposer
Namespacesulu
Namesulu
Version2.0.0-alpha4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.6.23
Latest_non_vulnerable_version3.0.6
Affected_by_vulnerabilities
0
url VCID-4ypa-kb4x-guh5
vulnerability_id VCID-4ypa-kb4x-guh5
summary 
Sulu checks fix permissions for subentities endpoints
### Impact

A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.

### Patches

The issue was patched in release 2.6.22 and 3.0.5.

### Workarounds

Create a Symfony Request Listener checking the permissions for the specific roles.

### Resources

Github Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34372
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.0488
published_at 2026-06-05T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04868
published_at 2026-06-06T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05936
published_at 2026-06-08T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.0598
published_at 2026-06-07T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.0596
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34372
1
reference_url https://github.com/sulu/sulu
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sulu/sulu
2
reference_url https://github.com/sulu/sulu/releases/tag/2.6.22
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:06Z/
url https://github.com/sulu/sulu/releases/tag/2.6.22
3
reference_url https://github.com/sulu/sulu/releases/tag/3.0.5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:06Z/
url https://github.com/sulu/sulu/releases/tag/3.0.5
4
reference_url https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:06Z/
url https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34372
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34372
6
reference_url https://github.com/advisories/GHSA-6h7h-m7p5-hjqp
reference_id GHSA-6h7h-m7p5-hjqp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6h7h-m7p5-hjqp
fixed_packages
0
url pkg:composer/sulu/sulu@2.6.22
purl pkg:composer/sulu/sulu@2.6.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-53q2-31p4-q7b8
1
vulnerability VCID-dbc2-e7qq-f3f5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.6.22
1
url pkg:composer/sulu/sulu@3.0.5
purl pkg:composer/sulu/sulu@3.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-53q2-31p4-q7b8
1
vulnerability VCID-dbc2-e7qq-f3f5
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@3.0.5
aliases CVE-2026-34372, GHSA-6h7h-m7p5-hjqp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ypa-kb4x-guh5
1
url VCID-7rdt-ppuf-87b6
vulnerability_id VCID-7rdt-ppuf-87b6
summary 
Cross-site Scripting via uploaded SVG
In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47618
reference_id
reference_type
scores
0
value 0.01613
scoring_system epss
scoring_elements 0.82157
published_at 2026-06-09T12:55:00Z
1
value 0.01613
scoring_system epss
scoring_elements 0.82142
published_at 2026-06-08T12:55:00Z
2
value 0.01613
scoring_system epss
scoring_elements 0.8215
published_at 2026-06-07T12:55:00Z
3
value 0.01613
scoring_system epss
scoring_elements 0.82148
published_at 2026-06-06T12:55:00Z
4
value 0.01613
scoring_system epss
scoring_elements 0.82146
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47618
1
reference_url https://github.com/sulu/sulu
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sulu/sulu
2
reference_url https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:20:32Z/
url https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47618
reference_id CVE-2024-47618
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47618
4
reference_url https://github.com/advisories/GHSA-255w-87rh-rg44
reference_id GHSA-255w-87rh-rg44
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-255w-87rh-rg44
5
reference_url https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44
reference_id GHSA-255w-87rh-rg44
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:20:32Z/
url https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44
fixed_packages
0
url pkg:composer/sulu/sulu@2.5.21
purl pkg:composer/sulu/sulu@2.5.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4ypa-kb4x-guh5
1
vulnerability VCID-qdn4-nkz1-rkaj
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.5.21
1
url pkg:composer/sulu/sulu@2.6.5
purl pkg:composer/sulu/sulu@2.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4ypa-kb4x-guh5
1
vulnerability VCID-qdn4-nkz1-rkaj
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.6.5
aliases CVE-2024-47618, GHSA-255w-87rh-rg44
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7rdt-ppuf-87b6
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.0.0-alpha4