Mistakenly accepted Package URL with version component.

[alilleybrinker]

Prerequisites

• Put an X between the brackets on this line if you have done all of the following:
  • Checked the FAQs on the message board for common solutions: (TBD)
  • Checked that your issue isn't already filed.

Description

CVE-2026-21619 includes Package URLs which include a version component. Per the RFD which introduced support for Package URLs into the CVE Record Format, version components are banned and should never be accepted (the proper way to include version data is to put it in the versions field).

This indicates we either failed to perform validation on a route for submitting or modifying CVE Records, or our validation logic is buggy and failed to stop this record from being published.

Expected behavior:

This record should not have been published as-is, because the Package URLs are non-compliant with the requirements of the CVE Record Format.

Actual behavior:

The record includes Package URLs with a version.

Additional Information

Thanks @darakian for the report!

[alilleybrinker]

Ah, figured it out. The Package URLs in question aren't on the packageURL field, where validation is performed, but on the (essentially untyped) lessThan and version fields, where no validation is performed.

This lack of validation is a known design concern in the CVE Record Format which the Quality Working Group is having ongoing discussions to try to resolve. However, for now, the fields remain extremely flexible and permit including Package URLs with versions in this way.

We don't recommend putting Package URLs in here, but it's not wrong per the spec, and so there's no validation bug to fix here.

[darakian]

Thanks for figuring that out. I didn't notice they were in the version block 🤦