ckan has 11 known vulnerabilities on the latest version (2.9.4). DepScope rates its health at 19/100 (critical risk).

What is the latest version of ckan?

The latest version of ckan is 2.9.4, released 2025-04-22.

Does ckan have known vulnerabilities?

Yes. ckan has 11 known vulnerabilities. See depscope.dev/pkg/conda/ckan for details.

No, ckan is actively maintained. Latest release: 2.9.4 (2025-04-22).

DepScope has no curated alternatives for ckan at this time.

ckan is licensed under GNU Affero General Public v3 or later (AGPLv3+).

condav2.9.4

CKAN Software for making open data websites.

License GNU Affero General Public v3 or later (AGPLv3+)2 versions1 maintainers0 deps44 weekly dl

/ 100

Health

do not use

ckan has critical vulnerabilities — do not use

Update to >= 2.9.7 to fix known vulnerabilities

Health breakdown0 – 100

5/25

maintenance

0/20

popularity

0/25

security

12/15

maturity

2/15

community

Vulnerabilities

1 critical2 high7 medium1 low

Advisories (11)

Severity	ID	Summary	Fixed in
medium	CVE-2025-54384	CKAN vulnerable to stored XSS in resource description	2.10.9
medium	CVE-2024-41674	CKAN may leak Solr credentials via error message in package_search action	2.10.5
critical	CVE-2023-32321	Ckan remote code execution and private information access via crafted resource ids	2.9.9
medium	CVE-2021-25967	Cross-site Scripting in CKAN	2.10.0
medium	CVE-2023-50248	Out of memory error when submitting the dataset form with a specially-crafted field	2.10.3
high	CVE-2025-24372	CKAN has an XSS vector in user uploaded images in group/org and user profiles	2.11.2
medium	CVE-2024-27097	Potential log injection in reset user endpoint in CKAN	2.10.4
medium	CVE-2024-43371	Potential access to sensitive URLs via CKAN extensions (SSRF)	2.10.5
high	CVE-2022-43685	CKAN contains Improper Authentication leading to account takeover	2.9.7
medium	CVE-2024-41675	CKAN has Cross-site Scripting vector in the Datatables view plugin	2.10.5
unknown	CVE-2022-43685	CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.	2.9.7

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/conda/ckan

First published · 2019-10-23 05:03:24.450000+00:00

Last updated · 2025-04-22 14:57:15.296000+00:00