ckan
PyPI15 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting ckanpage 1 of 1
- CVE-2021-25967MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.9.42021-12-01
vulnerable: 2.9.0, 2.9.1, 2.9.2, 2.9.3
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts ar…
- CVE-2022-43685HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.72022-11-22
vulnerable: 0.11 ... 2.9.6 (101 versions)
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.
- CVE-2023-32321CRITICALCVSS 9.8EG 9.82023-05-26
vulnerable: 2.10.0
CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package…
- CVE-2023-50248MEDIUMCVSS 4.5EG 4.5✓ Fixed in 2.10.32023-12-13
vulnerable: 2.10.0, 2.10.1
CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the `/dataset/new` endpoint (including either the a…
- CVE-2024-27097MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.10.42024-03-13
vulnerable: 2.10.0, 2.10.1, 2.10.3
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN …
- CVE-2024-41674MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.10.52024-08-21
vulnerable: 2.0 ... 2.9.9 (86 versions)
CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls …
- CVE-2024-41675MEDIUMCVSS 6.8EG 6.8✓ Fixed in 2.10.52024-08-21
vulnerable: 2.10.0 ... 2.9.9 (42 versions)
CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0…
- CVE-2024-43371MEDIUMCVSS 4.5EG 4.5✓ Fixed in 2.10.52024-08-21
vulnerable: 0.11 ... 2.9.9 (110 versions)
CKAN is an open-source data management system for powering data hubs and data portals. There are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local o…
- CVE-2025-24372HIGHCVSS 7.3EG 7.3✓ Fixed in 2.11.22025-02-05
vulnerable: 2.11.0, 2.11.1
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the ser…
- CVE-2025-54384MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.10.92025-10-29
vulnerable: 0.11 ... 2.9.9 (114 versions)
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, the helpers.markdown_extract() function did not perform sufficient sanitization of input data before wrapping in an HT…
- CVE-2025-64100MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.11.42025-10-29
vulnerable: 2.11.0, 2.11.1, 2.11.2, 2.11.3
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie…
- CVE-2026-41132HIGHCVSS 7.4EG 7.4✓ Fixed in 2.10.102026-05-13
vulnerable: 0.11 ... 2.9.9 (115 versions)
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails…
- CVE-2026-41255MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.11.52026-05-13
vulnerable: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The …
- CVE-2026-42031CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.11.52026-05-13
vulnerable: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources …
- CVE-2026-42032CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.11.52026-05-13
vulnerable: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private …
Check whether ckan is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for ckan CVEs against the assets you own.
Start Free Scan →