本頁列出影響 passbolt passbolt_api 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-27913 | Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header. | [email protected] | 2.1 | 0.17% | 2025-03-10 | 2026-06-17 |
| CVE-2024-33670 | Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page. | [email protected] | 4.3 | 0.46% | 2024-04-25 | 2026-06-17 |
| CVE-2017-1000442 | Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace | [email protected] | 5.4 | 0.52% | 2018-01-02 | 2026-06-16 |