{"url":"http://public2.vulnerablecode.io/api/packages/932690?format=json","purl":"pkg:deb/debian/node-tough-cookie@4.1.3%2B~4.0.2-1?distro=trixie","type":"deb","namespace":"debian","name":"node-tough-cookie","version":"4.1.3+~4.0.2-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.1.4+~4.0.5-2","latest_non_vulnerable_version":"4.1.4+~4.0.5-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18166?format=json","vulnerability_id":"VCID-wjaq-7np6-z3bk","summary":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nVersions of the package tough-cookie before 4.1.3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26136.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26136.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26136","reference_id":"","reference_type":"","scores":[{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90971","published_at":"2026-04-04T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90962","published_at":"2026-04-02T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90982","published_at":"2026-04-07T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91029","published_at":"2026-04-18T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91031","published_at":"2026-04-16T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91006","published_at":"2026-04-13T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.91007","published_at":"2026-04-12T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90998","published_at":"2026-04-09T12:55:00Z"},{"value":"0.06371","scoring_system":"epss","scoring_elements":"0.90993","published_at":"2026-04-08T12:55:00Z"},{"value":"0.06423","scoring_system":"epss","scoring_elements":"0.91103","published_at":"2026-05-05T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.9115","published_at":"2026-04-21T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91163","published_at":"2026-04-24T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91161","published_at":"2026-04-26T12:55:00Z"},{"value":"0.06587","scoring_system":"epss","scoring_elements":"0.91197","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26136"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136"},{"reference_url":"https://github.com/salesforce/tough-cookie","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/salesforce/tough-cookie"},{"reference_url":"https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e"},{"reference_url":"https://github.com/salesforce/tough-cookie/issues/282","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://github.com/salesforce/tough-cookie/issues/282"},{"reference_url":"https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240621-0006","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2219310","reference_id":"2219310","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2219310"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/","reference_id":"3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/","reference_id":"6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-09T20:37:58Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26136","reference_id":"CVE-2023-26136","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26136"},{"reference_url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3","reference_id":"GHSA-72xf-g2v4-qvf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3998","reference_id":"RHSA-2023:3998","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3998"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5006","reference_id":"RHSA-2023:5006","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5006"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5541","reference_id":"RHSA-2023:5541","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5541"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5542","reference_id":"RHSA-2023:5542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7222","reference_id":"RHSA-2023:7222","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7222"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8676","reference_id":"RHSA-2024:8676","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8676"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0082","reference_id":"RHSA-2025:0082","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0082"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0164","reference_id":"RHSA-2025:0164","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0164"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0323","reference_id":"RHSA-2025:0323","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0323"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932688?format=json","purl":"pkg:deb/debian/node-tough-cookie@4.0.0-2%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tough-cookie@4.0.0-2%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932686?format=json","purl":"pkg:deb/debian/node-tough-cookie@4.0.0-2%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tough-cookie@4.0.0-2%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932690?format=json","purl":"pkg:deb/debian/node-tough-cookie@4.1.3%2B~4.0.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tough-cookie@4.1.3%252B~4.0.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932689?format=json","purl":"pkg:deb/debian/node-tough-cookie@4.1.4%2B~4.0.5-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tough-cookie@4.1.4%252B~4.0.5-2%3Fdistro=trixie"}],"aliases":["CVE-2023-26136","GHSA-72xf-g2v4-qvf3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wjaq-7np6-z3bk"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tough-cookie@4.1.3%252B~4.0.2-1%3Fdistro=trixie"}