Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/75784?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75784?format=api", "vulnerability_id": "VCID-mb8x-dcy7-5udu", "summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.", "aliases": [ { "alias": "CVE-2026-6366" }, { "alias": "GHSA-xmjc-63pr-2mpg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41337?format=api", "purl": "pkg:composer/drupal/core@10.5.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/41335?format=api", "purl": "pkg:composer/drupal/core@10.6.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.6.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/41336?format=api", "purl": "pkg:composer/drupal/core@11.2.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/41333?format=api", "purl": "pkg:composer/drupal/core@11.3.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.3.7" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/15635?format=api", "purl": "pkg:composer/drupal/core@8.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12yf-8sub-uyhb" }, { "vulnerability": "VCID-1d2m-3ycf-3ycf" }, { "vulnerability": "VCID-26ck-rher-hfg4" }, { "vulnerability": "VCID-28cu-un2e-xub7" }, { "vulnerability": "VCID-293a-m7nd-vygb" }, { "vulnerability": "VCID-2wdn-8583-v3dg" }, { "vulnerability": "VCID-335n-fzp7-k7bc" }, { "vulnerability": "VCID-3avj-j2h8-qbhh" }, { "vulnerability": "VCID-3y39-quaw-ufe8" }, { "vulnerability": "VCID-4bym-pcfj-ykde" }, { "vulnerability": "VCID-4sqe-bvj6-pkdq" }, { "vulnerability": "VCID-57k5-xdsf-h3ch" }, { "vulnerability": "VCID-57nk-7ugd-vucf" }, { "vulnerability": "VCID-5ytn-jezc-bfdq" }, { "vulnerability": "VCID-6pdz-udxy-ebhy" }, { "vulnerability": "VCID-75bq-ccux-afdn" }, { "vulnerability": "VCID-7mhn-vstn-bqh5" }, { "vulnerability": "VCID-7sar-42a4-kqdy" }, { "vulnerability": "VCID-85pr-rrx5-5keu" }, { "vulnerability": "VCID-8h75-dgjd-nyc3" }, { "vulnerability": "VCID-94he-hr4a-yygs" }, { "vulnerability": "VCID-a4ps-1cdu-4ucv" }, { "vulnerability": "VCID-a7jg-mx1k-57h3" }, { "vulnerability": "VCID-aex1-r4xe-kkaj" }, { "vulnerability": "VCID-agxw-t98a-j3bm" }, { "vulnerability": "VCID-ajhs-t3zd-6qah" }, { "vulnerability": "VCID-aqce-af3u-myd2" }, { "vulnerability": "VCID-bha5-1s4u-3bg6" }, { "vulnerability": "VCID-bmw2-bvu6-rkev" }, { "vulnerability": "VCID-d6bg-1u2b-1qdt" }, { "vulnerability": "VCID-daj4-u9em-mbc3" }, { "vulnerability": "VCID-e427-q7jy-1uad" }, { "vulnerability": "VCID-e4nv-qway-2ygf" }, { "vulnerability": "VCID-e569-xntr-mkgm" }, { "vulnerability": "VCID-e5uh-sqmj-qyg7" }, { "vulnerability": "VCID-ed3c-h2ww-j3gm" }, { "vulnerability": "VCID-eje5-fhmg-hbbt" }, { "vulnerability": "VCID-fc3m-cktu-7uff" }, { "vulnerability": "VCID-fqah-snwt-qfhj" }, { "vulnerability": "VCID-ftd8-be73-5bc3" }, { "vulnerability": "VCID-fwnm-xws3-8uhz" }, { "vulnerability": "VCID-hcvb-4eys-2qg3" }, { "vulnerability": "VCID-hdq9-fe9e-93hb" }, { "vulnerability": "VCID-hmkt-cwbg-kqh4" }, { "vulnerability": "VCID-hs3h-z841-67ge" }, { "vulnerability": "VCID-jbd8-jvfd-cbbx" }, { "vulnerability": "VCID-jnfd-5ez3-b7d1" }, { "vulnerability": "VCID-k48k-jdda-zqbh" }, { "vulnerability": "VCID-kepa-chya-sfdb" }, { "vulnerability": "VCID-krdz-kyhc-efg5" }, { "vulnerability": "VCID-krjp-u36k-17fs" }, { "vulnerability": "VCID-kryq-8j5g-d7a6" }, { "vulnerability": "VCID-ku79-by46-s3h9" }, { "vulnerability": "VCID-mb8x-dcy7-5udu" }, { "vulnerability": "VCID-mjjh-e7up-6ubf" }, { "vulnerability": "VCID-mntp-ycvs-a7cd" }, { "vulnerability": "VCID-mt7b-j5j8-7qdb" }, { "vulnerability": "VCID-muhk-wbuy-97bu" }, { "vulnerability": "VCID-nhub-1map-n3by" }, { "vulnerability": "VCID-nx17-duan-vyak" }, { "vulnerability": "VCID-qec2-bj92-pue9" }, { "vulnerability": "VCID-qtax-krps-1udn" }, { "vulnerability": "VCID-qvsn-ab7h-cqc5" }, { "vulnerability": "VCID-rf34-12k7-xbh4" }, { "vulnerability": "VCID-s5ak-abr9-vbe6" }, { "vulnerability": "VCID-saqq-4efb-affy" }, { "vulnerability": "VCID-sbsk-ydyr-kfbt" }, { "vulnerability": "VCID-sdue-15dg-4ugt" }, { "vulnerability": "VCID-sgub-4xen-bbcy" }, { "vulnerability": "VCID-tdsq-5bqr-aufq" }, { "vulnerability": "VCID-tf14-rq7e-17av" }, { "vulnerability": "VCID-tk5j-xph4-q3e5" }, { "vulnerability": "VCID-ufsx-tacm-afg8" }, { "vulnerability": "VCID-uhb6-fx8q-cqe5" }, { "vulnerability": "VCID-ukak-793e-m3gx" }, { "vulnerability": "VCID-v3nf-tw9b-13c1" }, { "vulnerability": "VCID-v59c-81z7-q7aw" }, { "vulnerability": "VCID-v69x-fke2-h7a6" }, { "vulnerability": "VCID-v7ya-c9mf-e7dp" }, { "vulnerability": "VCID-vafp-yvad-t3b3" }, { "vulnerability": "VCID-vc7s-6p62-bfaw" }, { "vulnerability": "VCID-vpn8-qteh-9yhz" }, { "vulnerability": "VCID-vrva-c7km-ekda" }, { "vulnerability": "VCID-w5a9-jg34-3ubx" }, { "vulnerability": "VCID-wn4r-rc6m-xbhy" }, { "vulnerability": "VCID-xcck-137u-wyam" }, { "vulnerability": "VCID-xgtt-3z1m-b3ag" }, { "vulnerability": "VCID-xhgk-sf8f-fuav" }, { "vulnerability": "VCID-xsma-2ryf-zqd4" }, { "vulnerability": "VCID-xyu6-aqjk-r7g7" }, { "vulnerability": "VCID-yj7d-w9vg-23dn" }, { "vulnerability": "VCID-yjm8-gadp-jkhr" }, { "vulnerability": "VCID-yku8-k9fs-d7c8" }, { "vulnerability": "VCID-ypdc-yptn-7qdp" }, { "vulnerability": "VCID-zt27-b3qc-fbac" }, { "vulnerability": "VCID-zxut-nxke-7fce" }, { "vulnerability": "VCID-zymc-a812-1ua5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/41334?format=api", "purl": "pkg:composer/drupal/core@10.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mb8x-dcy7-5udu" }, { "vulnerability": "VCID-saqq-4efb-affy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/33155?format=api", "purl": "pkg:composer/drupal/core@11.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1d2m-3ycf-3ycf" }, { "vulnerability": "VCID-1w42-v1sq-fkac" }, { "vulnerability": "VCID-227y-mp79-jydd" }, { "vulnerability": "VCID-26ck-rher-hfg4" }, { "vulnerability": "VCID-4sqe-bvj6-pkdq" }, { "vulnerability": "VCID-7sar-42a4-kqdy" }, { "vulnerability": "VCID-94he-hr4a-yygs" }, { "vulnerability": "VCID-aqce-af3u-myd2" }, { "vulnerability": "VCID-e5uh-sqmj-qyg7" }, { "vulnerability": "VCID-ggb3-jgrj-hken" }, { "vulnerability": "VCID-mb8x-dcy7-5udu" }, { "vulnerability": "VCID-nx17-duan-vyak" }, { "vulnerability": "VCID-rf34-12k7-xbh4" }, { "vulnerability": "VCID-saqq-4efb-affy" }, { "vulnerability": "VCID-tdsq-5bqr-aufq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/41332?format=api", "purl": "pkg:composer/drupal/core@11.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29f2-xku4-b7cs" }, { "vulnerability": "VCID-mb8x-dcy7-5udu" }, { "vulnerability": "VCID-saqq-4efb-affy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.3.0" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-6366", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20455", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.23964", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25265", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25251", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-6366" }, { "reference_url": "https://github.com/drupal/core", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/drupal/core" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6366", "reference_id": "CVE-2026-6366", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6366" }, { "reference_url": "https://github.com/advisories/GHSA-xmjc-63pr-2mpg", "reference_id": "GHSA-xmjc-63pr-2mpg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xmjc-63pr-2mpg" }, { "reference_url": "https://www.drupal.org/sa-core-2026-002", "reference_id": "sa-core-2026-002", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-20T12:57:29Z/" } ], "url": "https://www.drupal.org/sa-core-2026-002" } ], "weaknesses": [ { "cwe_id": 915, "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes", "description": "The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mb8x-dcy7-5udu" }