Vulnerable Library - @storm-stack/core-0.47.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-33937
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "Handlebars.compile()" accepts a pre-parsed AST object in addition to a template string. The "value" field of a "NumberLiteral" AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to "compile()" can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling "Handlebars.compile()"; ensure the argument is always a "string", never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build ("handlebars/runtime") on the server if templates are pre-compiled at build time; "compile()" will be unavailable.
Publish Date: 2026-03-27
URL: CVE-2026-33937
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-27606
Vulnerable Libraries - rollup-4.52.2.tgz, rollup-4.52.3.tgz
rollup-4.52.2.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-4.52.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- rollup-plugin-typescript2-0.36.0.tgz
- ❌ rollup-4.52.2.tgz (Vulnerable Library)
rollup-4.52.3.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-4.52.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ rollup-4.52.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27606
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0
Step up your Open Source Security Game with Mend here
CVE-2025-12816
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- cli-1.5.8.tgz
- dev-server-1.1.4.tgz
- webpack-dev-server-5.2.2.tgz
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (@storm-stack/core): 0.48.0
Step up your Open Source Security Game with Mend here
CVE-2026-44728
Vulnerable Library - plugin-transform-modules-systemjs-7.27.1.tgz
This plugin transforms ES2015 modules to SystemJS
Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.27.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- build-tools-0.157.2.tgz
- js-21.5.3.tgz
- preset-env-7.28.3.tgz
- ❌ plugin-transform-modules-systemjs-7.27.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - "@babel/plugin-transform-modules-systemjs" - "@babel/preset-env" when using the ""modules: "systemjs"" option" (https://babel.dev/docs/babel-preset-env#modules), as it delegates to "@babel/plugin-transform-modules-systemjs" No other plugins under the "@babel" namespace are impacted. Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/plugin-transform-modules-systemjs@7.29.4". Babel also released "@babel/preset-env@7.29.5", updating its "@babel/plugin-transform-modules-systemjs" dependency, to simplify forcing the update if you are using "@babel/preset-env" directly. Workarounds - Pin "@babel/parser" to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade "@babel/plugin-transform-modules-systemjs" to v7.29.4. - Do not use the "modules: "systemjs"" option, migrate the codebase to native ES Modules or any other module formats. Credits Babel thanks Daniel Cervera for reporting the vulnerability.
Publish Date: 2026-05-16
URL: CVE-2026-44728
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fv7c-fp4j-7gwp
Release Date: 2026-05-09
Fix Resolution: @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4
Step up your Open Source Security Game with Mend here
CVE-2026-33941
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler ("bin/handlebars" / "lib/precompiler.js") concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (""", "'", ";", etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.
Publish Date: 2026-03-27
URL: CVE-2026-33941
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- api-extractor-7.52.11.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
CVE-2026-33940
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in "resolvePartial()" and cause "invokePartial()" to return "undefined". The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to "env.compile()". Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). Without "compile()", the fallback compilation path in "invokePartial" is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ("{{> (lookup ...)}}") when context data is user-controlled.
Publish Date: 2026-03-27
URL: CVE-2026-33940
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-33938
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the "@partial-block" special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites "@partial-block" with a crafted Handlebars AST, a subsequent invocation of "{{> @partial-block}}" compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). The "compile()" method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as "handlebars-helpers") in contexts where templates or context data can be influenced by untrusted input.
Publish Date: 2026-03-27
URL: CVE-2026-33938
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-6322
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- webpack-5.102.0.tgz
- schema-utils-4.3.2.tgz
- ajv-8.17.1.tgz
- ❌ fast-uri-3.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Publish Date: 2026-05-05
URL: CVE-2026-6322
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-05
Fix Resolution: fast-uri - 3.1.2,https://github.com/fastify/fast-uri.git - v3.1.2
Step up your Open Source Security Game with Mend here
CVE-2026-6321
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- webpack-5.102.0.tgz
- schema-utils-4.3.2.tgz
- ajv-8.17.1.tgz
- ❌ fast-uri-3.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
Publish Date: 2026-05-04
URL: CVE-2026-6321
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q3j6-qgpj-74h6
Release Date: 2026-05-04
Fix Resolution: fast-uri - 3.1.1
Step up your Open Source Security Game with Mend here
CVE-2026-4867
Vulnerable Library - path-to-regexp-0.1.12.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- cli-1.5.8.tgz
- dev-server-1.1.4.tgz
- webpack-dev-server-5.2.2.tgz
- express-4.21.2.tgz
- ❌ path-to-regexp-0.1.12.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Publish Date: 2026-03-26
URL: CVE-2026-4867
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-37ch-88jc-xwx2
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 0.1.13
Step up your Open Source Security Game with Mend here
CVE-2026-39364
Vulnerable Library - vite-7.1.5.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ vite-7.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39364
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v2wj-q39q-566r
Release Date: 2026-04-07
Fix Resolution: https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v8.0.5
Step up your Open Source Security Game with Mend here
CVE-2026-39363
Vulnerable Libraries - vite-7.1.5.tgz, vite-6.3.6.tgz
vite-7.1.5.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ vite-7.1.5.tgz (Vulnerable Library)
vite-6.3.6.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.3.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- astro-5.14.1.tgz
- ❌ vite-6.3.6.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39363
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: 2026-04-07
Fix Resolution: https://github.com/vitejs/vite.git - v6.4.2,vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v8.0.5,https://github.com/vitejs/vite.git - v7.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-33939
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- ❌ handlebars-4.7.8.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. "{{n}}"), the compiled template calls "lookupProperty(decorators, "n")", which returns "undefined". The runtime then immediately invokes the result as a function, causing an unhandled "TypeError: ... is not a function" that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a "try/catch" is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in "try/catch". Validate template input before passing it to "compile()"; reject templates containing decorator syntax ("{{...}}") if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call "compile()" at request time.
Publish Date: 2026-03-27
URL: CVE-2026-33939
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
CVE-2026-33895
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- cli-1.5.8.tgz
- dev-server-1.1.4.tgz
- webpack-dev-server-5.2.2.tgz
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33894
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- cli-1.5.8.tgz
- dev-server-1.1.4.tgz
- webpack-dev-server-5.2.2.tgz
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33891
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @storm-stack/core-0.47.0.tgz (Root Library)
- cli-1.5.8.tgz
- dev-server-1.1.4.tgz
- webpack-dev-server-5.2.2.tgz
- selfsigned-2.4.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "Handlebars.compile()" accepts a pre-parsed AST object in addition to a template string. The "value" field of a "NumberLiteral" AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to "compile()" can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling "Handlebars.compile()"; ensure the argument is always a "string", never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build ("handlebars/runtime") on the server if templates are pre-compiled at build time; "compile()" will be unavailable.
Publish Date: 2026-03-27
URL: CVE-2026-33937
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - rollup-4.52.2.tgz, rollup-4.52.3.tgz
rollup-4.52.2.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-4.52.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
rollup-4.52.3.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-4.52.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27606
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (@storm-stack/core): 0.48.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - plugin-transform-modules-systemjs-7.27.1.tgz
This plugin transforms ES2015 modules to SystemJS
Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.27.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - "@babel/plugin-transform-modules-systemjs" - "@babel/preset-env" when using the ""modules: "systemjs"" option" (https://babel.dev/docs/babel-preset-env#modules), as it delegates to "@babel/plugin-transform-modules-systemjs" No other plugins under the "@babel" namespace are impacted. Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/plugin-transform-modules-systemjs@7.29.4". Babel also released "@babel/preset-env@7.29.5", updating its "@babel/plugin-transform-modules-systemjs" dependency, to simplify forcing the update if you are using "@babel/preset-env" directly. Workarounds - Pin "@babel/parser" to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade "@babel/plugin-transform-modules-systemjs" to v7.29.4. - Do not use the "modules: "systemjs"" option, migrate the codebase to native ES Modules or any other module formats. Credits Babel thanks Daniel Cervera for reporting the vulnerability.
Publish Date: 2026-05-16
URL: CVE-2026-44728
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fv7c-fp4j-7gwp
Release Date: 2026-05-09
Fix Resolution: @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler ("bin/handlebars" / "lib/precompiler.js") concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (""", "'", ";", etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.
Publish Date: 2026-03-27
URL: CVE-2026-33941
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in "resolvePartial()" and cause "invokePartial()" to return "undefined". The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to "env.compile()". Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). Without "compile()", the fallback compilation path in "invokePartial" is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ("{{> (lookup ...)}}") when context data is user-controlled.
Publish Date: 2026-03-27
URL: CVE-2026-33940
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the "@partial-block" special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites "@partial-block" with a crafted Handlebars AST, a subsequent invocation of "{{> @partial-block}}" compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build ("require('handlebars/runtime')"). The "compile()" method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as "handlebars-helpers") in contexts where templates or context data can be influenced by untrusted input.
Publish Date: 2026-03-27
URL: CVE-2026-33938
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Publish Date: 2026-05-05
URL: CVE-2026-6322
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-05
Fix Resolution: fast-uri - 3.1.2,https://github.com/fastify/fast-uri.git - v3.1.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - fast-uri-3.1.0.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
Publish Date: 2026-05-04
URL: CVE-2026-6321
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q3j6-qgpj-74h6
Release Date: 2026-05-04
Fix Resolution: fast-uri - 3.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-to-regexp-0.1.12.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Publish Date: 2026-03-26
URL: CVE-2026-4867
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-37ch-88jc-xwx2
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 0.1.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - vite-7.1.5.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39364
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v2wj-q39q-566r
Release Date: 2026-04-07
Fix Resolution: https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v8.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - vite-7.1.5.tgz, vite-6.3.6.tgz
vite-7.1.5.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
vite-6.3.6.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.3.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39363
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: 2026-04-07
Fix Resolution: https://github.com/vitejs/vite.git - v6.4.2,vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v8.0.5,https://github.com/vitejs/vite.git - v7.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.7.8.tgz
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. "{{n}}"), the compiled template calls "lookupProperty(decorators, "n")", which returns "undefined". The runtime then immediately invokes the result as a function, causing an unhandled "TypeError: ... is not a function" that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a "try/catch" is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in "try/catch". Validate template input before passing it to "compile()"; reject templates containing decorator syntax ("{{...}}") if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call "compile()" at request time.
Publish Date: 2026-03-27
URL: CVE-2026-33939
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here