{"package":"ckan","ecosystem":"conda","latest_version":"2.9.4","description":"CKAN Software for making open data websites.","license":"GNU Affero General Public v3 or later (AGPLv3+)","license_risk":"unknown","commercial_use_notes":"verify manually — license not parseable / not declared.","homepage":"http://ckan.org/","repository":"https://github.com/ckan/ckan","downloads_weekly":44,"health":{"score":19,"risk":"critical","breakdown":{"maintenance":5,"popularity":0,"security":0,"maturity":12,"community":2},"deprecated":false,"max_score":100},"vulnerabilities":{"count":11,"critical":1,"high":2,"medium":7,"low":1,"details":[{"vuln_id":"CVE-2025-54384","severity":"medium","summary":"CKAN vulnerable to stored XSS in resource description","affected_versions":">=2.11.0,<2.11.4|<2.10.9|=2.11.0|=2.11.1|=2.11.2|=2.11.3|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.10.0|=2.10.1|=2.10.3|=2.10.4|=2.10.5|=2.10.6|=2.10.7|=2.10.8|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.10|=2.9.11|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9","fixed_version":"2.10.9","source":"osv","published_at":"2025-10-29T15:34:22Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07426,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-41674","severity":"medium","summary":"CKAN may leak Solr credentials via error message in package_search action","affected_versions":">=2.0.0,<2.10.5|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.10.0|=2.10.1|=2.10.3|=2.10.4|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.10|=2.9.11|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9","fixed_version":"2.10.5","source":"osv","published_at":"2024-08-21T18:26:27Z","in_kev":false,"epss_prob":0.00475,"epss_percentile":0.64857,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-32321","severity":"critical","summary":"Ckan remote code execution and private information access via crafted resource ids","affected_versions":"<2.9.9|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.10.0","fixed_version":"2.9.9","source":"osv","published_at":"2023-05-24T17:24:56Z","in_kev":false,"epss_prob":0.03793,"epss_percentile":0.88113,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-25967","severity":"medium","summary":"Cross-site Scripting in CKAN","affected_versions":">=2.9.0,<2.10.0|=2.9.0|=2.9.1|=2.9.10|=2.9.11|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9","fixed_version":"2.10.0","source":"osv","published_at":"2021-12-03T20:44:48Z","in_kev":false,"epss_prob":0.00206,"epss_percentile":0.42677,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-50248","severity":"medium","summary":"Out of memory error when submitting the dataset form with a specially-crafted field","affected_versions":">=2.0,<2.9.10|>=2.10.0,<2.10.3|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9|=2.10.0|=2.10.1","fixed_version":"2.10.3","source":"osv","published_at":"2023-12-13T23:08:35Z","in_kev":false,"epss_prob":0.00181,"epss_percentile":0.39514,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-24372","severity":"high","summary":"CKAN has an XSS vector in user uploaded images in group/org and user profiles","affected_versions":"<2.10.7|>=2.11.0,<2.11.2|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.10.0|=2.10.1|=2.10.3|=2.10.4|=2.10.5|=2.10.6|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.10|=2.9.11|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9|=2.11.0|=2.11.1","fixed_version":"2.11.2","source":"osv","published_at":"2025-02-05T17:41:33Z","in_kev":false,"epss_prob":0.00218,"epss_percentile":0.4429,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-27097","severity":"medium","summary":"Potential log injection in reset user endpoint in CKAN","affected_versions":"<2.9.11|>=2.10.0,<2.10.4|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.10|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9|=2.10.0|=2.10.1|=2.10.3","fixed_version":"2.10.4","source":"osv","published_at":"2024-03-13T15:30:03Z","in_kev":false,"epss_prob":0.00446,"epss_percentile":0.63526,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-43371","severity":"medium","summary":"Potential access to sensitive URLs via CKAN extensions (SSRF)","affected_versions":"<2.10.5|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.10.0|=2.10.1|=2.10.3|=2.10.4|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.10|=2.9.11|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9","fixed_version":"2.10.5","source":"osv","published_at":"2024-08-21T18:27:11Z","in_kev":false,"epss_prob":0.00317,"epss_percentile":0.54733,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-43685","severity":"high","summary":"CKAN contains Improper Authentication leading to account takeover","affected_versions":"<2.9.7|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6","fixed_version":"2.9.7","source":"osv","published_at":"2022-11-22T03:30:56Z","in_kev":false,"epss_prob":0.00864,"epss_percentile":0.75154,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-41675","severity":"medium","summary":"CKAN has Cross-site Scripting vector in the Datatables view plugin","affected_versions":">=2.7.0,<2.10.5|=2.10.0|=2.10.1|=2.10.3|=2.10.4|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.10|=2.9.11|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6|=2.9.7|=2.9.8|=2.9.9","fixed_version":"2.10.5","source":"osv","published_at":"2024-08-21T18:26:29Z","in_kev":false,"epss_prob":0.01078,"epss_percentile":0.77896,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-43685","severity":"unknown","summary":"CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.","affected_versions":"<2.9.7|=0.11|=0.3|=0.4|=0.5|=0.6|=0.7|=0.8|=1.0|=1.1|=1.2|=1.3|=1.3.2|=1.3.3|=1.4|=1.4.1|=1.4.2|=1.4.3|=1.4.3.1|=1.5|=1.5.1|=1.6|=1.7|=1.7.1|=1.8|=2.0|=2.0.1|=2.0.7|=2.0.8|=2.1|=2.1.1|=2.1.5|=2.1.6|=2.2|=2.2.1|=2.2.3|=2.2.4|=2.3|=2.3.1|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.4.0|=2.4.1|=2.4.2|=2.4.3|=2.4.4|=2.4.5|=2.4.8|=2.4.9|=2.5.0|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.6|=2.5.7|=2.5.8|=2.5.9|=2.6.0|=2.6.1|=2.6.3|=2.6.4|=2.6.5|=2.6.6|=2.6.7|=2.6.8|=2.6.9|=2.7.0|=2.7.1|=2.7.10|=2.7.11|=2.7.12|=2.7.2|=2.7.3|=2.7.4|=2.7.5|=2.7.6|=2.7.7|=2.7.8|=2.7.9|=2.8.0|=2.8.1|=2.8.10|=2.8.11|=2.8.12|=2.8.2|=2.8.3|=2.8.4|=2.8.5|=2.8.6|=2.8.7|=2.8.8|=2.8.9|=2.9.0|=2.9.1|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=2.9.6","fixed_version":"2.9.7","source":"osv","published_at":"2022-11-22T01:15:00Z","in_kev":false,"epss_prob":0.00864,"epss_percentile":0.75154,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"2.9.4","total_count":2,"recent":["2.8.3","2.9.4"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1,"first_published":"2019-10-23 05:03:24.450000+00:00","last_published":"2025-04-22 14:57:15.296000+00:00","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Low health score (19/100)","2 high severity vulnerabilities","1 critical vulnerabilities"],"use_version":"2.9.4","version_hint":"Update to >= 2.9.7 to fix known vulnerabilities","summary":"ckan has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":2,"first_release_age_days":2380,"last_release_days_ago":371,"avg_days_between_releases":2380,"release_velocity":"stale"}}