Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sf4w-ajhm-ufgp
Vulnerability ID VCID-sf4w-ajhm-ufgp
Aliases CVE-2020-18703
GHSA-3xg5-6c3j-vp8x
PYSEC-2021-144
Summary XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-611 Improper Restriction of XML External Entity Reference
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.02571 https://api.first.org/data/v1/epss?cve=CVE-2020-18703
cvssv3.1 9.8 https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-144.yaml
generic_textual CRITICAL https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-144.yaml
cvssv3.1 9.8 https://github.com/quokkaproject/quokka
generic_textual CRITICAL https://github.com/quokkaproject/quokka
cvssv3.1 9.8 https://github.com/rochacbruno/quokka/issues/676
generic_textual CRITICAL https://github.com/rochacbruno/quokka/issues/676
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2020-18703
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2020-18703
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-18703
https://github.com/advisories/GHSA-3xg5-6c3j-vp8x
https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-144.yaml
https://github.com/quokkaproject/quokka
https://github.com/rochacbruno/quokka/issues/676
CVE-2020-18703 https://nvd.nist.gov/vuln/detail/CVE-2020-18703
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-144.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/quokkaproject/quokka
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rochacbruno/quokka/issues/676
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-18703
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.85804
EPSS Score 0.02571
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:27:30.956889+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/quokka/PYSEC-2021-144.yaml 38.6.0