Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40orpc/client@1.5.0
Typenpm
Namespace@orpc
Nameclient
Version1.5.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.13.6
Latest_non_vulnerable_version2.0.0
Affected_by_vulnerabilities
0
url VCID-utb3-dcpa-pudu
vulnerability_id VCID-utb3-dcpa-pudu
summary 
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization
A critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the `@orpc/client` package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global `Object.prototype`. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28794
reference_id
reference_type
scores
0
value 0.00871
scoring_system epss
scoring_elements 0.75587
published_at 2026-06-06T12:55:00Z
1
value 0.00871
scoring_system epss
scoring_elements 0.75577
published_at 2026-06-07T12:55:00Z
2
value 0.00871
scoring_system epss
scoring_elements 0.75584
published_at 2026-06-05T12:55:00Z
3
value 0.01156
scoring_system epss
scoring_elements 0.78913
published_at 2026-06-09T12:55:00Z
4
value 0.01156
scoring_system epss
scoring_elements 0.78895
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28794
1
reference_url https://github.com/middleapi/orpc
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/middleapi/orpc
2
reference_url https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:53:21Z/
url https://github.com/middleapi/orpc/commit/1dba06fc6f938c2486de303c2fa096bc1c8418b5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28794
reference_id CVE-2026-28794
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28794
4
reference_url https://github.com/advisories/GHSA-m272-9rp6-32mc
reference_id GHSA-m272-9rp6-32mc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m272-9rp6-32mc
5
reference_url https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc
reference_id GHSA-m272-9rp6-32mc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:53:21Z/
url https://github.com/middleapi/orpc/security/advisories/GHSA-m272-9rp6-32mc
fixed_packages
0
url pkg:npm/%40orpc/client@1.13.6
purl pkg:npm/%40orpc/client@1.13.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/client@1.13.6
1
url pkg:npm/%40orpc/client@2.0.0
purl pkg:npm/%40orpc/client@2.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/client@2.0.0
aliases CVE-2026-28794, GHSA-m272-9rp6-32mc
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-utb3-dcpa-pudu
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/client@1.5.0