Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40orpc/client@0.0.0-next.cdf567b
Typenpm
Namespace@orpc
Nameclient
Version0.0.0-next.cdf567b
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.13.6
Latest_non_vulnerable_version2.0.0
Affected_by_vulnerabilities
0
url VCID-2k9q-7cd2-rua6
vulnerability_id VCID-2k9q-7cd2-rua6
summary oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28794
reference_id
reference_type
scores
0
value 0.01156
scoring_system epss
scoring_elements 0.78957
published_at 2026-06-11T12:55:00Z
1
value 0.01156
scoring_system epss
scoring_elements 0.79023
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28794
1
reference_url https://github.com/middleapi/orpc
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/middleapi/orpc
2
reference_url https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5
reference_id 1dba06fc6f938c2486de303c2fa096bc1c8418b5
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:53:21Z/
url https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28794
reference_id CVE-2026-28794
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28794
4
reference_url https://github.com/advisories/GHSA-m272-9rp6-32mc
reference_id GHSA-m272-9rp6-32mc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m272-9rp6-32mc
5
reference_url https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc
reference_id GHSA-m272-9rp6-32mc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:53:21Z/
url https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc
fixed_packages
0
url pkg:npm/%40orpc/client@1.13.6
purl pkg:npm/%40orpc/client@1.13.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/client@1.13.6
1
url pkg:npm/%40orpc/client@2.0.0
purl pkg:npm/%40orpc/client@2.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/client@2.0.0
aliases CVE-2026-28794, GHSA-m272-9rp6-32mc
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2k9q-7cd2-rua6
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/client@0.0.0-next.cdf567b