{"url":"http://public2.vulnerablecode.io/api/packages/955278?format=json","purl":"pkg:pypi/vitrage@9.0.0","type":"pypi","namespace":"","name":"vitrage","version":"9.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"12.0.1","latest_non_vulnerable_version":"15.0.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69184?format=json","vulnerability_id":"VCID-hx41-5y79-5bdw","summary":"In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28370","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12526","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28370"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28370"},{"reference_url":"https://github.com/openstack/vitrage","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openstack/vitrage"},{"reference_url":"https://github.com/openstack/vitrage/commit/89df4bd2ffda1a5ddea66cd828438a6a171a3b11","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openstack/vitrage/commit/89df4bd2ffda1a5ddea66cd828438a6a171a3b11"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/03/03/6","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/03/03/6"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139452","reference_id":"1139452","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139452"},{"reference_url":"https://storyboard.openstack.org/#%21/story/2011539","reference_id":"2011539","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-27T15:47:42Z/"}],"url":"https://storyboard.openstack.org/#%21/story/2011539"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28370","reference_id":"CVE-2026-28370","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28370"},{"reference_url":"https://github.com/advisories/GHSA-8xwf-cr4r-856r","reference_id":"GHSA-8xwf-cr4r-856r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xwf-cr4r-856r"},{"reference_url":"https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70","reference_id":"query.py#L70","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-27T15:47:42Z/"}],"url":"https://github.com/openstack/vitrage/blob/a1f86950e1314b0c740f9cd9b7e9dbab7d02af51/vitrage/graph/query.py#L70"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39949?format=json","purl":"pkg:pypi/vitrage@12.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vitrage@12.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/39948?format=json","purl":"pkg:pypi/vitrage@13.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vitrage@13.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/39954?format=json","purl":"pkg:pypi/vitrage@14.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vitrage@14.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/39956?format=json","purl":"pkg:pypi/vitrage@15.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vitrage@15.0.1"}],"aliases":["CVE-2026-28370","GHSA-8xwf-cr4r-856r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hx41-5y79-5bdw"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vitrage@9.0.0"}