VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ye85-7kfw-43cp

Essentials
Severities (25)
References (12)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ye85-7kfw-43cp
Aliases	CVE-2021-23420 GHSA-4574-qv3w-fcmg
Summary
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00579	https://api.first.org/data/v1/epss?cve=CVE-2021-23420
epss	0.00579	https://api.first.org/data/v1/epss?cve=CVE-2021-23420
cvssv3.1	9.8	https://github.com/advisories/GHSA-4574-qv3w-fcmg
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-4574-qv3w-fcmg
generic_textual	CRITICAL	https://github.com/advisories/GHSA-4574-qv3w-fcmg
cvssv3.1	9.8	https://github.com/Codeception/Codeception
generic_textual	CRITICAL	https://github.com/Codeception/Codeception
cvssv3.1	9.8	https://github.com/Codeception/Codeception/blob/4.1/CHANGELOG-4.x.md#4122
generic_textual	CRITICAL	https://github.com/Codeception/Codeception/blob/4.1/CHANGELOG-4.x.md#4122
cvssv3.1	9.8	https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php#L52
generic_textual	CRITICAL	https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php#L52
cvssv3.1	9.8	https://github.com/Codeception/Codeception/commit/802a108057d250ee563120eaa5365a519afc0a71
generic_textual	CRITICAL	https://github.com/Codeception/Codeception/commit/802a108057d250ee563120eaa5365a519afc0a71
cvssv3.1	9.8	https://github.com/Codeception/Codeception/commit/cbce9ea7f4664052fa1ac6b36f5b5a6dbd864d71
generic_textual	CRITICAL	https://github.com/Codeception/Codeception/commit/cbce9ea7f4664052fa1ac6b36f5b5a6dbd864d71
cvssv3.1	9.8	https://github.com/Codeception/Codeception/pull/6241
generic_textual	CRITICAL	https://github.com/Codeception/Codeception/pull/6241
cvssv3.1	9.8	https://github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yaml
generic_textual	CRITICAL	https://github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yaml
cvssv3.1	9.8	https://github.com/JinYiTong/poc
generic_textual	CRITICAL	https://github.com/JinYiTong/poc
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-23420
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2021-23420
cvssv3.1	9.8	https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585
generic_textual	CRITICAL	https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2021-23420
		https://github.com/advisories/GHSA-4574-qv3w-fcmg
		https://github.com/Codeception/Codeception
		https://github.com/Codeception/Codeception/blob/4.1/CHANGELOG-4.x.md#4122
		https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php#L52
		https://github.com/Codeception/Codeception/commit/802a108057d250ee563120eaa5365a519afc0a71
		https://github.com/Codeception/Codeception/commit/cbce9ea7f4664052fa1ac6b36f5b5a6dbd864d71
		https://github.com/Codeception/Codeception/pull/6241
		https://github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yaml
		https://github.com/JinYiTong/poc
		https://nvd.nist.gov/vuln/detail/CVE-2021-23420
		https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-4574-qv3w-fcmg

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Codeception/Codeception

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Codeception/Codeception/blob/4.1/CHANGELOG-4.x.md#4122

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Codeception/Codeception/blob/4.1/ext/RunProcess.php#L52

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Codeception/Codeception/commit/802a108057d250ee563120eaa5365a519afc0a71

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Codeception/Codeception/commit/cbce9ea7f4664052fa1ac6b36f5b5a6dbd864d71

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Codeception/Codeception/pull/6241

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/codeception/codeception/CVE-2021-23420.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/JinYiTong/poc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23420

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-PHP-CODECEPTIONCODECEPTION-1324585

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.69357
EPSS Score	0.00579
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-12T01:59:03.203052+00:00	EPSS Importer	Import	https://epss.cyentia.com/epss_scores-current.csv.gz	38.6.0