CWE-1395
Dependency on Vulnerable Third-Party Component
Description
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
Hierarchy (View 1000)
CVEs mapped to this weakness (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34841 | Cri | 0.57 | 9.8 | 0.00 | Apr 6, 2026 | Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of… | ||
| CVE-2024-56327 | — | Cri | 0.57 | 9.8 | 0.00 | Dec 19, 2024 | pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions… | |
| CVE-2025-22871 | Cri | 0.52 | 9.1 | 0.01 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | ||
| CVE-2024-12797 | Med | 0.34 | 6.3 | 0.02 | Feb 11, 2025 | Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections… | ||
| CVE-2024-45399 | 0.00 | — | 0.00 | Sep 4, 2024 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when… |
- risk 0.57cvss 9.8epss 0.00
Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of…
- risk 0.57cvss 9.8epss 0.00
pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions…
- risk 0.52cvss 9.1epss 0.01
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- risk 0.34cvss 6.3epss 0.02
Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections…
- CVE-2024-45399Sep 4, 2024risk 0.00cvss —epss 0.00
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when…