Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/771836?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/771836?format=api", "purl": "pkg:composer/sulu/sulu@2.0.0-alpha4", "type": "composer", "namespace": "sulu", "name": "sulu", "version": "2.0.0-alpha4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.6.23", "latest_non_vulnerable_version": "3.0.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91196?format=api", "vulnerability_id": "VCID-4ypa-kb4x-guh5", "summary": "Sulu checks fix permissions for subentities endpoints\n### Impact\n\nA user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.\n\n### Patches\n\nThe issue was patched in release 2.6.22 and 3.0.5.\n\n### Workarounds\n\nCreate a Symfony Request Listener checking the permissions for the specific roles.\n\n### Resources\n\nGithub Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34372", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0488", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04868", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05936", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0598", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0596", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34372" }, { "reference_url": "https://github.com/sulu/sulu", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sulu/sulu" }, { "reference_url": "https://github.com/sulu/sulu/releases/tag/2.6.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:06Z/" } ], "url": "https://github.com/sulu/sulu/releases/tag/2.6.22" }, { "reference_url": "https://github.com/sulu/sulu/releases/tag/3.0.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:06Z/" } ], "url": "https://github.com/sulu/sulu/releases/tag/3.0.5" }, { "reference_url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T20:29:06Z/" } ], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34372", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34372" }, { "reference_url": "https://github.com/advisories/GHSA-6h7h-m7p5-hjqp", "reference_id": "GHSA-6h7h-m7p5-hjqp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6h7h-m7p5-hjqp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113234?format=api", "purl": "pkg:composer/sulu/sulu@2.6.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-53q2-31p4-q7b8" }, { "vulnerability": "VCID-dbc2-e7qq-f3f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.6.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/113235?format=api", "purl": "pkg:composer/sulu/sulu@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-53q2-31p4-q7b8" }, { "vulnerability": "VCID-dbc2-e7qq-f3f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@3.0.5" } ], "aliases": [ "CVE-2026-34372", "GHSA-6h7h-m7p5-hjqp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4ypa-kb4x-guh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55932?format=api", "vulnerability_id": "VCID-7rdt-ppuf-87b6", "summary": "Cross-site Scripting via uploaded SVG\nIn Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47618", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01613", "scoring_system": "epss", "scoring_elements": "0.82157", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.01613", "scoring_system": "epss", "scoring_elements": "0.82142", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01613", "scoring_system": "epss", "scoring_elements": "0.8215", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01613", "scoring_system": "epss", "scoring_elements": "0.82148", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01613", "scoring_system": "epss", "scoring_elements": "0.82146", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47618" }, { "reference_url": "https://github.com/sulu/sulu", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sulu/sulu" }, { "reference_url": "https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:20:32Z/" } ], "url": "https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47618", "reference_id": "CVE-2024-47618", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47618" }, { "reference_url": "https://github.com/advisories/GHSA-255w-87rh-rg44", "reference_id": "GHSA-255w-87rh-rg44", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-255w-87rh-rg44" }, { "reference_url": "https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44", "reference_id": "GHSA-255w-87rh-rg44", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:20:32Z/" } ], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82837?format=api", "purl": "pkg:composer/sulu/sulu@2.5.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4ypa-kb4x-guh5" }, { "vulnerability": "VCID-qdn4-nkz1-rkaj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.5.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/82838?format=api", "purl": "pkg:composer/sulu/sulu@2.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4ypa-kb4x-guh5" }, { "vulnerability": "VCID-qdn4-nkz1-rkaj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.6.5" } ], "aliases": [ "CVE-2024-47618", "GHSA-255w-87rh-rg44" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7rdt-ppuf-87b6" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sulu/sulu@2.0.0-alpha4" }