Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/79071?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/79071?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.6", "type": "maven", "namespace": "com.typesafe.play", "name": "play_2.11", "version": "2.7.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110699?format=api", "vulnerability_id": "VCID-mw4j-vcb1-eya5", "summary": "Dev error stack trace leaking into prod in Play Framework\n### Impact\n\nPlay Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application.\n\nIn particular the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value.\n\n### Patches\n\nThis is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior.\n\n### Workarounds\n\nWhen constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that your application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.\n\n### References\nhttps://www.playframework.com/documentation/2.8.x/ScalaErrorHandling#Supplying-a-custom-error-handler\nhttps://www.playframework.com/documentation/2.8.x/JavaErrorHandling#Supplying-a-custom-error-handler\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [playframework/playframework](https://github.com/playframework/playframework/)\n* Email us at [security@playframework.com](mailto:security@playframework.com)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31023", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0043", "scoring_system": "epss", "scoring_elements": "0.62898", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0043", "scoring_system": "epss", "scoring_elements": "0.6287", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0043", "scoring_system": "epss", "scoring_elements": "0.62913", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0043", "scoring_system": "epss", "scoring_elements": "0.62922", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0043", "scoring_system": "epss", "scoring_elements": "0.62912", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31023" }, { "reference_url": "https://github.com/playframework/playframework", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/playframework/playframework" }, { "reference_url": "https://github.com/playframework/playframework/pull/11305", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:14Z/" } ], "url": "https://github.com/playframework/playframework/pull/11305" }, { "reference_url": "https://github.com/playframework/playframework/releases/tag/2.8.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:14Z/" } ], "url": "https://github.com/playframework/playframework/releases/tag/2.8.16" }, { "reference_url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:14Z/" } ], "url": "https://github.com/playframework/playframework/security/advisories/GHSA-p9p4-97g9-wcrh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31023", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31023" }, { "reference_url": "https://github.com/advisories/GHSA-p9p4-97g9-wcrh", "reference_id": "GHSA-p9p4-97g9-wcrh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p9p4-97g9-wcrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/503770?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.8.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.8.16" } ], "aliases": [ "CVE-2022-31023", "GHSA-p9p4-97g9-wcrh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mw4j-vcb1-eya5" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42346?format=api", "vulnerability_id": "VCID-378h-ypwm-f7hn", "summary": "Uncontrolled Recursion\nIn Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26882", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61538", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61491", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61539", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61546", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61534", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00408", "scoring_system": "epss", "scoring_elements": "0.61517", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26882" }, { "reference_url": "https://github.com/playframework/playframework/pull/10495", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/playframework/playframework/pull/10495" }, { "reference_url": "https://www.playframework.com/security/vulnerability", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.playframework.com/security/vulnerability" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26882", "reference_id": "CVE-2020-26882", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26882" }, { "reference_url": "https://www.playframework.com/security/vulnerability/CVE-2020-26882-JsonParseDataAmplification", "reference_id": "CVE-2020-26882-JSONPARSEDATAAMPLIFICATION", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.playframework.com/security/vulnerability/CVE-2020-26882-JsonParseDataAmplification" }, { "reference_url": "https://github.com/advisories/GHSA-r8rm-4hfj-2x87", "reference_id": "GHSA-r8rm-4hfj-2x87", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r8rm-4hfj-2x87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/263598?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.0-M1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mw4j-vcb1-eya5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.0-M1" }, { "url": "http://public2.vulnerablecode.io/api/packages/79071?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mw4j-vcb1-eya5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/79070?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vp3-auwv-bbf6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.8.3" } ], "aliases": [ "CVE-2020-26882", "GHSA-r8rm-4hfj-2x87" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-378h-ypwm-f7hn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42342?format=api", "vulnerability_id": "VCID-r21j-tf23-vuh2", "summary": "Out-of-bounds Write\nAn issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-27196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67408", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67373", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67414", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67422", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67409", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67393", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-27196" }, { "reference_url": "https://github.com/playframework/playframework/pull/10321", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/playframework/playframework/pull/10321" }, { "reference_url": "https://www.playframework.com/security/vulnerability", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.playframework.com/security/vulnerability" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27196", "reference_id": "CVE-2020-27196", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27196" }, { "reference_url": "https://www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow", "reference_id": "CVE-2020-27196-DOSVIAJSONSTACKOVERFLOW", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflow" }, { "reference_url": "https://github.com/advisories/GHSA-h48w-c35p-6m8x", "reference_id": "GHSA-h48w-c35p-6m8x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h48w-c35p-6m8x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/263598?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.0-M1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mw4j-vcb1-eya5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.0-M1" }, { "url": "http://public2.vulnerablecode.io/api/packages/79071?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mw4j-vcb1-eya5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.6" } ], "aliases": [ "CVE-2020-27196", "GHSA-h48w-c35p-6m8x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r21j-tf23-vuh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42340?format=api", "vulnerability_id": "VCID-z911-wjbu-kfcf", "summary": "Uncontrolled Recursion\nIn Play Framework, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67408", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67373", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67414", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67422", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67409", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00526", "scoring_system": "epss", "scoring_elements": "0.67393", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26883" }, { "reference_url": "https://github.com/playframework/playframework/pull/10495", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/playframework/playframework/pull/10495" }, { "reference_url": "https://www.playframework.com/security/vulnerability", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.playframework.com/security/vulnerability" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26883", "reference_id": "CVE-2020-26883", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26883" }, { "reference_url": "https://www.playframework.com/security/vulnerability/CVE-2020-26883-JsonParseUncontrolledRecursion", "reference_id": "CVE-2020-26883-JSONPARSEUNCONTROLLEDRECURSION", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.playframework.com/security/vulnerability/CVE-2020-26883-JsonParseUncontrolledRecursion" }, { "reference_url": "https://github.com/advisories/GHSA-p8p6-rcp6-4mrm", "reference_id": "GHSA-p8p6-rcp6-4mrm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p8p6-rcp6-4mrm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/263598?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.0-M1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mw4j-vcb1-eya5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.0-M1" }, { "url": "http://public2.vulnerablecode.io/api/packages/79071?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.7.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mw4j-vcb1-eya5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/79070?format=api", "purl": "pkg:maven/com.typesafe.play/play_2.11@2.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vp3-auwv-bbf6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.8.3" } ], "aliases": [ "CVE-2020-26883", "GHSA-p8p6-rcp6-4mrm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z911-wjbu-kfcf" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.typesafe.play/play_2.11@2.7.6" }