GCVE - cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Smartbear (`94fec60b-612f-51ea-9024-b74cfc3c3f18`)
Product	Swagger Ui (`b4fe3dc8-12a0-5445-880c-aed3ce70a089`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:bitbucket/buuuksg/swagger-ui`	purl2cpe	2026-06-01 10:18:16.931472
`pkg:docker/swaggerapi/swagger-ui`	purl2cpe	2026-06-01 10:18:16.931476
`pkg:github/swagger-api/swagger-ui`	purl2cpe	2026-06-01 10:18:16.931480
`pkg:maven/org.webjars.npm/swagger-ui`	purl2cpe	2026-06-01 10:18:16.931483
`pkg:npm/swagger-ui`	purl2cpe	2026-06-01 10:18:16.931487

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2019-17495`	vulnerable	2026-06-08 05:13:10.542037	Details available A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method. Published: 2019-10-10T21:04:49.000Z Updated: 2024-08-05T01:40:15.904Z Open on db.gcve.eu Reference links https://www.oracle.com/security-alerts/cpuoct2020.html https://github.com/tarantula-team/CSS-injection-in-Swagger-UI https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11 https://www.oracle.com/security-alerts/cpuApr2021.html https://lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf%40%3Ccommits.airflow.apache.org%3E	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-25031`	vulnerable	2026-06-08 05:11:29.173003	Details available Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others. Published: 2022-03-11T06:47:46.000Z Updated: 2024-08-05T12:26:39.523Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885 https://github.com/swagger-api/swagger-ui/issues/4872 https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3 https://security.netapp.com/advisory/ntap-20220407-0004/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.