Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/959462?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/959462?format=api", "purl": "pkg:pypi/pydantic-ai-slim@1.14.1", "type": "pypi", "namespace": "", "name": "pydantic-ai-slim", "version": "1.14.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.99.0", "latest_non_vulnerable_version": "1.99.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50046?format=api", "vulnerability_id": "VCID-r85m-zgq5-1fab", "summary": "Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling\nA Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.\n\n**This vulnerability only affects applications that accept message history from external users**, such as those using:\n- **`Agent.to_web`** or **`clai web`** to serve a chat interface\n- **`VercelAIAdapter`** for Vercel AI SDK integration\n- **`AGUIAdapter`** or **`Agent.to_ag_ui`** for AG-UI protocol integration\n- Custom APIs that accept message history from user input\n\nApplications that only use hardcoded or developer-controlled URLs are not affected.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25580.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25580.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04728", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.047", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04712", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05496", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25580" }, { "reference_url": "https://github.com/pydantic/pydantic-ai", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pydantic/pydantic-ai" }, { "reference_url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:59Z/" } ], "url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437781", "reference_id": "2437781", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437781" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25580", "reference_id": "CVE-2026-25580", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25580" }, { "reference_url": "https://github.com/advisories/GHSA-2jrp-274c-jhv3", "reference_id": "GHSA-2jrp-274c-jhv3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2jrp-274c-jhv3" }, { "reference_url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3", "reference_id": "GHSA-2jrp-274c-jhv3", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:21:59Z/" } ], "url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73925?format=api", "purl": "pkg:pypi/pydantic-ai-slim@1.56.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-rgd3-g7uy-y7cy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pydantic-ai-slim@1.56.0" } ], "aliases": [ "CVE-2026-25580", "GHSA-2jrp-274c-jhv3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r85m-zgq5-1fab" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pydantic-ai-slim@1.14.1" }