[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-33540":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":23,"aliases":33,"duplicate_of":9,"upstream":35,"downstream":36,"duplicates":43,"related":44,"reserved_at":9,"published_at":48,"modified_at":49,"state":50,"summary":51,"references_raw":59,"kevs":84,"epss":85,"epss_history":88,"metrics":268,"affected":278},"CVE-2026-33540","Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-918","Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.","weakness","Incomplete","Base",[19],{"id":20,"name":21,"techniques":22},"CAPEC-664","Server Side Request Forgery",[],[24],{"_key":25,"name":26,"source":27,"url":28,"maturity":29,"reliability_score":30,"verified":31,"type":9,"platforms":32,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_DISTRIBUTION_DISTRIBUTION","Distribution","github","https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r","poc",0.3,false,[],[34],"GHSA-3p65-76g6-3w7r",[],[37,39,41],{"_key":38},"DEBIAN-CVE-2026-33540",{"_key":40},"OPENSUSE-SU-2026:10631-1",{"_key":42},"UBUNTU-CVE-2026-33540",[],[45,46],{"_key":40},{"_key":47},"CGA-4FXM-PMFG-6HJW","2026-04-06T14:55:04.812Z","2026-04-06T15:04:50.154Z","Analyzed",{"cisa_kev":31,"cisa_ransomware":31,"cisa_vendor":9,"epss_severity":52,"epss_score":53,"severity":54,"severity_score":55,"severity_version":56,"severity_source":57,"severity_vector":58,"severity_status":50},"low",0.00055,"high",7.5,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",[60,70,75,79],{"url":28,"sources":61,"tags":64},[57,62,63],"nvd","osv_go",[65,66,67,68,69],"X Refsource CONFIRM","WEB","Exploit","Mitigation","Vendor Advisory",{"url":71,"sources":72,"tags":73},"https://nvd.nist.gov/vuln/detail/CVE-2026-33540",[63],[74],"Advisory",{"url":76,"sources":77,"tags":78},"https://github.com/distribution/distribution/commit/cc5d5fa4ba02157501e6afa2cc6a903ad0338e7b",[63],[66],{"url":80,"sources":81,"tags":82},"https://github.com/distribution/distribution",[63],[83],"PACKAGE",[],{"date":86,"score":53,"percentile":87},"2026-06-05",0.17553,[89,93,96,99,103,106,110,113,116,119,122,125,127,130,133,136,139,142,145,148,151,154,157,160,163,166,168,171,174,177,180,183,187,190,193,196,199,202,205,208,211,214,217,220,223,226,229,232,235,238,241,244,247,250,253,256,259,262,264,267],{"date":90,"score":91,"percentile":92},"2026-04-07",0.00027,0.07531,{"date":94,"score":91,"percentile":95},"2026-04-08",0.0759,{"date":97,"score":91,"percentile":98},"2026-04-09",0.0761,{"date":100,"score":101,"percentile":102},"2026-04-10",0.00028,0.08112,{"date":104,"score":101,"percentile":105},"2026-04-11",0.08103,{"date":107,"score":108,"percentile":109},"2026-04-12",0.00037,0.11138,{"date":111,"score":108,"percentile":112},"2026-04-13",0.11115,{"date":114,"score":108,"percentile":115},"2026-04-14",0.10968,{"date":117,"score":108,"percentile":118},"2026-04-15",0.10994,{"date":120,"score":108,"percentile":121},"2026-04-16",0.1098,{"date":123,"score":108,"percentile":124},"2026-04-17",0.10991,{"date":126,"score":108,"percentile":118},"2026-04-18",{"date":128,"score":108,"percentile":129},"2026-04-19",0.10971,{"date":131,"score":108,"percentile":132},"2026-04-20",0.10955,{"date":134,"score":108,"percentile":135},"2026-04-21",0.1113,{"date":137,"score":108,"percentile":138},"2026-04-22",0.11177,{"date":140,"score":108,"percentile":141},"2026-04-23",0.11188,{"date":143,"score":108,"percentile":144},"2026-04-24",0.11074,{"date":146,"score":108,"percentile":147},"2026-04-25",0.11076,{"date":149,"score":108,"percentile":150},"2026-04-26",0.11029,{"date":152,"score":108,"percentile":153},"2026-04-27",0.1101,{"date":155,"score":108,"percentile":156},"2026-04-28",0.10969,{"date":158,"score":108,"percentile":159},"2026-04-29",0.10965,{"date":161,"score":108,"percentile":162},"2026-04-30",0.10954,{"date":164,"score":108,"percentile":165},"2026-05-01",0.10928,{"date":167,"score":108,"percentile":156},"2026-05-02",{"date":169,"score":108,"percentile":170},"2026-05-03",0.1095,{"date":172,"score":108,"percentile":173},"2026-05-04",0.10907,{"date":175,"score":108,"percentile":176},"2026-05-05",0.10904,{"date":178,"score":108,"percentile":179},"2026-05-06",0.10896,{"date":181,"score":108,"percentile":182},"2026-05-07",0.11041,{"date":184,"score":185,"percentile":186},"2026-05-08",0.00041,0.12236,{"date":188,"score":185,"percentile":189},"2026-05-09",0.12283,{"date":191,"score":185,"percentile":192},"2026-05-10",0.12285,{"date":194,"score":185,"percentile":195},"2026-05-11",0.12275,{"date":197,"score":185,"percentile":198},"2026-05-12",0.12297,{"date":200,"score":185,"percentile":201},"2026-05-13",0.12322,{"date":203,"score":185,"percentile":204},"2026-05-14",0.12366,{"date":206,"score":185,"percentile":207},"2026-05-15",0.12371,{"date":209,"score":185,"percentile":210},"2026-05-16",0.1241,{"date":212,"score":185,"percentile":213},"2026-05-17",0.12386,{"date":215,"score":53,"percentile":216},"2026-05-18",0.17139,{"date":218,"score":53,"percentile":219},"2026-05-19",0.17117,{"date":221,"score":53,"percentile":222},"2026-05-20",0.17134,{"date":224,"score":53,"percentile":225},"2026-05-21",0.17122,{"date":227,"score":53,"percentile":228},"2026-05-22",0.17273,{"date":230,"score":53,"percentile":231},"2026-05-23",0.17257,{"date":233,"score":53,"percentile":234},"2026-05-24",0.17221,{"date":236,"score":53,"percentile":237},"2026-05-25",0.17204,{"date":239,"score":53,"percentile":240},"2026-05-26",0.17198,{"date":242,"score":53,"percentile":243},"2026-05-27",0.17293,{"date":245,"score":53,"percentile":246},"2026-05-28",0.1743,{"date":248,"score":53,"percentile":249},"2026-05-29",0.17498,{"date":251,"score":53,"percentile":252},"2026-05-30",0.17488,{"date":254,"score":53,"percentile":255},"2026-05-31",0.17475,{"date":257,"score":53,"percentile":258},"2026-06-01",0.17456,{"date":260,"score":53,"percentile":261},"2026-06-02",0.17458,{"date":263,"score":53,"percentile":261},"2026-06-03",{"date":265,"score":53,"percentile":266},"2026-06-04",0.17474,{"date":86,"score":53,"percentile":87},[269,274,276],{"source":57,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":270,"cvss_v4_0":9},{"baseScore":55,"baseSeverity":271,"vectorString":58,"impactScore":272,"exploitabilityScore":273},"HIGH",6,10,{"source":62,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":275,"cvss_v4_0":9},{"baseScore":55,"baseSeverity":271,"vectorString":58,"impactScore":272,"exploitabilityScore":273},{"source":63,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":277,"cvss_v4_0":9},{"baseScore":55,"baseSeverity":9,"vectorString":58,"impactScore":272,"exploitabilityScore":273},[279,290,293,304],{"ecosystem":9,"name":280,"vendor":281,"product":280,"cpe_part":282,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":283},"distribution","distribution_project","a",[284],{"version":285,"is_range":286,"range_type":287,"version_start":9,"version_start_type":9,"version_end":288,"version_end_type":289,"fixed_in":9},"lt3.1.0",true,"cpe","3.1.0","excluding",{"ecosystem":9,"name":280,"vendor":280,"product":280,"cpe_part":282,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":291},[292],{"version":285,"is_range":286,"range_type":57,"version_start":9,"version_start_type":9,"version_end":288,"version_end_type":289,"fixed_in":9},{"ecosystem":294,"name":295,"vendor":296,"product":280,"cpe_part":9,"purl_type":297,"purl_namespace":296,"purl_name":280,"source":9,"versions":298},"Go","github.com/distribution/distribution","github.com/distribution","golang",[299],{"version":300,"is_range":286,"range_type":301,"version_start":9,"version_start_type":9,"version_end":302,"version_end_type":303,"fixed_in":9},"lte2_8_3","semver","2.8.3","including",{"ecosystem":294,"name":305,"vendor":295,"product":306,"cpe_part":9,"purl_type":297,"purl_namespace":295,"purl_name":306,"source":9,"versions":307},"github.com/distribution/distribution/v3","v3",[308],{"version":309,"is_range":286,"range_type":301,"version_start":9,"version_start_type":9,"version_end":288,"version_end_type":289,"fixed_in":9},"lt3_1_0"]