Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/924727?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "type": "deb", "namespace": "debian", "name": "h2o", "version": "0", "qualifiers": { "distro": "bullseye" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.2.3+dfsg-1", "latest_non_vulnerable_version": "2.2.5+dfsg2-7", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/156036?format=api", "vulnerability_id": "VCID-a87p-5cc2-c7g4", "summary": "Directory traversal vulnerability in H2O before 1.4.5 and 1.5.x before 1.5.0-beta2, when the file.dir directive is enabled, allows remote attackers to read arbitrary files via a crafted URL.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2015-5638", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47388", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47421", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47442", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47392", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47447", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47444", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47467", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47448", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47508", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.475", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47451", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47438", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47394", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.4731", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47374", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47335", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47366", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47439", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2015-5638" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2015-5638" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a87p-5cc2-c7g4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/260943?format=api", "vulnerability_id": "VCID-bja7-a3uf-zqer", "summary": "h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43848", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94243", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94136", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94219", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94223", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94229", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94126", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94147", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.9415", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94159", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94163", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94168", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94169", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94184", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94189", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94191", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94192", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94196", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.133", "scoring_system": "epss", "scoring_elements": "0.94207", "published_at": "2026-05-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43848" }, { "reference_url": "https://github.com/h2o/h2o/commit/8c0eca3", "reference_id": "8c0eca3", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:27Z/" } ], "url": "https://github.com/h2o/h2o/commit/8c0eca3" }, { "reference_url": "https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4", "reference_id": "GHSA-f9xw-j925-m4m4", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:27Z/" } ], "url": "https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2021-43848" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bja7-a3uf-zqer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/304930?format=api", "vulnerability_id": "VCID-e3m7-psun-vfby", "summary": "h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack (quicly), as used by H2O up to commit 43f86e5 (in version 2.3.0-beta and prior), is susceptible to a state exhaustion attack. When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually cause H2O to abort due to memory exhaustion. The vulnerability has been resolved in commit d67e81d03be12a9d53dc8271af6530f40164cd35. HTTP/1 and HTTP/2 are not affected by this vulnerability as they do not use QUIC. Administrators looking to mitigate this issue without upgrading can disable HTTP/3 support.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68283", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68303", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.6828", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68331", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68347", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68373", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.6836", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68328", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68367", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.6838", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68359", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68406", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68411", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68415", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68393", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68435", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68471", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68436", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.68463", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00562", "scoring_system": "epss", "scoring_elements": "0.6852", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50247" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2023-50247" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e3m7-psun-vfby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/163339?format=api", "vulnerability_id": "VCID-gwvf-vrtr-v3dk", "summary": "Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-7835", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86854", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86865", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86884", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86878", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86898", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86906", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86919", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86915", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86909", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86926", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86931", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86948", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86954", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86958", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86979", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.86996", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.87014", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.87009", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.87023", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.03157", "scoring_system": "epss", "scoring_elements": "0.87052", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-7835" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2016-7835" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gwvf-vrtr-v3dk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/161866?format=api", "vulnerability_id": "VCID-k8g5-d8xx-3ye4", "summary": "H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-4864", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81619", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.8163", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81652", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.8165", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81677", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81681", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81701", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81689", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81682", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81721", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.8172", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81724", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81749", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81758", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81764", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81781", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81802", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81827", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.81823", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.8184", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.01598", "scoring_system": "epss", "scoring_elements": "0.8188", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-4864" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2016-4864" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k8g5-d8xx-3ye4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/159773?format=api", "vulnerability_id": "VCID-kn2d-fupu-wbam", "summary": "CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI.", "references": [ { "reference_url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000003", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000003" }, { "reference_url": "http://jvn.jp/en/jp/JVN45928828/index.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvn.jp/en/jp/JVN45928828/index.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-1133", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59897", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59833", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59658", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59732", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59756", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59726", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59778", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59792", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59811", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59795", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59777", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59814", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59821", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59804", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59775", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59793", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59741", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59789", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.5985", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59806", "published_at": "2026-05-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-1133" }, { "reference_url": "https://github.com/h2o/h2o/issues/682", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/h2o/h2o/issues/682" }, { "reference_url": "https://github.com/h2o/h2o/issues/684", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/h2o/h2o/issues/684" }, { "reference_url": "https://h2o.examp1e.net/vulnerabilities.html#CVE-2016-1133", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h2o.examp1e.net/vulnerabilities.html#CVE-2016-1133" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:1.7.0:beta2:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:dena:h2o:1.7.0:beta2:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:1.7.0:beta2:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1133", "reference_id": "CVE-2016-1133", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:M/Au:N/C:N/I:P/A:N" }, { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1133" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2016-1133" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kn2d-fupu-wbam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/293144?format=api", "vulnerability_id": "VCID-p463-b1yc-jkev", "summary": "H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull request number 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30847", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57346", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57368", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57344", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57396", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57398", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57413", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57393", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57372", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57394", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57328", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57351", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00497", "scoring_system": "epss", "scoring_elements": "0.65887", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0056", "scoring_system": "epss", "scoring_elements": "0.68379", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0056", "scoring_system": "epss", "scoring_elements": "0.68414", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.0056", "scoring_system": "epss", "scoring_elements": "0.68335", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0056", "scoring_system": "epss", "scoring_elements": "0.68378", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.0056", "scoring_system": "epss", "scoring_elements": "0.68406", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.0056", "scoring_system": "epss", "scoring_elements": "0.68464", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30847" }, { "reference_url": "https://github.com/h2o/h2o/pull/3229", "reference_id": "3229", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-30T19:51:39Z/" } ], "url": "https://github.com/h2o/h2o/pull/3229" }, { "reference_url": "https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33", "reference_id": "f010336bab162839df43d9e87570897466c97e33", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-30T19:51:39Z/" } ], "url": "https://github.com/h2o/h2o/commit/f010336bab162839df43d9e87570897466c97e33" }, { "reference_url": "https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx", "reference_id": "GHSA-p5hj-phwj-hrvx", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-30T19:51:39Z/" } ], "url": "https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2023-30847" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p463-b1yc-jkev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/204121?format=api", "vulnerability_id": "VCID-vgst-7jj7-cuet", "summary": "h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45403", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56027", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56018", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.55945", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.55965", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.5594", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.55887", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.55935", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.55994", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.55969", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.5598", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56001", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56031", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56034", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56044", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56024", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56006", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56042", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56045", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45403" }, { "reference_url": "https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562", "reference_id": "16b13eee8ad7895b4fe3fcbcabee53bd52782562", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T14:40:44Z/" } ], "url": "https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562" }, { "reference_url": "https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c", "reference_id": "1ed32b23f999acf0c5029f09c8525f93eb1d354c", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T14:40:44Z/" } ], "url": "https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c" }, { "reference_url": "https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92", "reference_id": "GHSA-4xp5-3jhc-3m92", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T14:40:44Z/" } ], "url": "https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92" }, { "reference_url": "https://h2o.examp1e.net/configure/http3_directives.html", "reference_id": "http3_directives.html", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T14:40:44Z/" } ], "url": "https://h2o.examp1e.net/configure/http3_directives.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2024-45403" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vgst-7jj7-cuet" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/161823?format=api", "vulnerability_id": "VCID-ydjm-jrpz-bbgs", "summary": "lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet.", "references": [ { "reference_url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000091", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000091" }, { "reference_url": "http://jvn.jp/en/jp/JVN87859762/index.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvn.jp/en/jp/JVN87859762/index.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-4817", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.9214", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.9212", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.9204", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92045", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92053", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92058", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.9207", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92073", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92077", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92084", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92081", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.9208", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92091", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92103", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92113", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.07964", "scoring_system": "epss", "scoring_elements": "0.92112", "published_at": "2026-05-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-4817" }, { "reference_url": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4" }, { "reference_url": "https://github.com/h2o/h2o/pull/920", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/h2o/h2o/pull/920" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:*:beta4:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:dena:h2o:*:beta4:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:dena:h2o:*:beta4:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4817", "reference_id": "CVE-2016-4817", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:N/C:N/I:N/A:P" }, { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4817" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/924727?format=api", "purl": "pkg:deb/debian/h2o@0?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924728?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-6?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-6%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/924726?format=api", "purl": "pkg:deb/debian/h2o@2.2.5%2Bdfsg2-7?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@2.2.5%252Bdfsg2-7%3Fdistro=bullseye" } ], "aliases": [ "CVE-2016-4817" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydjm-jrpz-bbgs" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/h2o@0%3Fdistro=bullseye" }