Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/990814?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/990814?format=api", "purl": "pkg:composer/october/rain@3.0.56", "type": "composer", "namespace": "october", "name": "rain", "version": "3.0.56", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.7.16", "latest_non_vulnerable_version": "4.1.10", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17688?format=api", "vulnerability_id": "VCID-gzsh-33xn-z3a2", "summary": "October Rain has a Twig Sandbox Bypass via Collection Methods\nA sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.\n\n### Impact\n- Bypass of Twig sandbox restrictions\n- Only affects installations with `CMS_SAFE_MODE` enabled (disabled by default)\n- Requires authenticated backend access with CMS template editing permissions\n\n### Patches\nThe vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Disable `CMS_SAFE_MODE` if untrusted template editing is not required\n- Restrict CMS template editing permissions to fully trusted administrators only\n\n### References\n- Reported by Ćukasz Rybak", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22692", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05283", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22692" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:42:23Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22692", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22692" }, { "reference_url": "https://github.com/advisories/GHSA-m5qg-jc75-4jp6", "reference_id": "GHSA-m5qg-jc75-4jp6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m5qg-jc75-4jp6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50929?format=api", "purl": "pkg:composer/october/rain@3.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-h55g-72bd-bydc" }, { "vulnerability": "VCID-shnd-sa5n-rqf7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/50927?format=api", "purl": "pkg:composer/october/rain@4.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-h55g-72bd-bydc" }, { "vulnerability": "VCID-shnd-sa5n-rqf7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.5" } ], "aliases": [ "CVE-2026-22692", "GHSA-m5qg-jc75-4jp6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzsh-33xn-z3a2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15403?format=api", "vulnerability_id": "VCID-h55g-72bd-bydc", "summary": "October Rain has Environment Variable Exfiltration via INI Parser Interpolation\nA server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.\n\n### Impact\n- Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)\n- Could enable further attacks: database access, cookie forgery, AWS resource access\n- Requires authenticated backend access with Editor permissions\n- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict Editor tool access to fully trusted administrators only\n- Ensure database and cloud service credentials are not accessible from the web server's network\n\n### References\n- Reported by Pentest-Tools.com", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25125", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02909", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25125" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:24:59Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25125", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25125" }, { "reference_url": "https://github.com/advisories/GHSA-g6v3-wv4j-x9hg", "reference_id": "GHSA-g6v3-wv4j-x9hg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g6v3-wv4j-x9hg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45360?format=api", "purl": "pkg:composer/october/rain@3.7.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/990912?format=api", "purl": "pkg:composer/october/rain@3.7.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/45359?format=api", "purl": "pkg:composer/october/rain@4.1.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10" } ], "aliases": [ "CVE-2026-25125", "GHSA-g6v3-wv4j-x9hg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h55g-72bd-bydc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17269?format=api", "vulnerability_id": "VCID-shnd-sa5n-rqf7", "summary": "October Rain has Stored XSS via SVG Filter Bypass\nA stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.\n\n### Impact\n- Stored XSS via malicious SVG files uploaded through the Media Manager\n- Could allow privilege escalation if a superuser views or embeds the malicious SVG\n- Requires authenticated backend access with media upload permissions (`media.library.create`)\n- SVG must be viewed or embedded in a page to trigger\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Disable SVG uploads by adding `svg` to the blocked extensions in media configuration\n- Set `media.clean_vectors` to `true` in configuration (enabled by default)\n\n### References\n- Reported by Pentest-Tools.com", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25133", "reference_id": "", "reference_type": "", "scores": [ { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00927", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25133" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:47:21Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25133", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25133" }, { "reference_url": "https://github.com/advisories/GHSA-gcqv-f29m-67gr", "reference_id": "GHSA-gcqv-f29m-67gr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gcqv-f29m-67gr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45360?format=api", "purl": "pkg:composer/october/rain@3.7.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/990912?format=api", "purl": "pkg:composer/october/rain@3.7.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/45359?format=api", "purl": "pkg:composer/october/rain@4.1.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10" } ], "aliases": [ "CVE-2026-25133", "GHSA-gcqv-f29m-67gr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-shnd-sa5n-rqf7" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.0.56" }