Update HAPI ecosystem (main) #129
Security Report
❌ New vulnerabilities:
Partial results (76 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
| Vulnerability | Severity |  CVSS Score |
Vulnerable Library | Direct Library | Suggested Fix | Issue | Reachability |
|---|---|---|---|---|---|---|---|
CVE-2026-40175Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
 Critical |
10.0 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | Upgrade to version axios - 0.31.0 or greater | None |
|
CVE-2025-62718Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
Critical |
9.9 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | Upgrade to version axios - 0.31.0 or greater | None |
|
CVE-607537-903744Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> ❌ ajv-6.12.6.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ajv-6.12.6.tgz |
sdk-1.13.2.tgz | None |
|
|
CVE-2025-12816Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
 High |
8.6 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | node-forge - 1.3.2 | None |
|
CVE-2025-65110Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> vega-5.33.0.tgz (Root Library) -> vega-parser-6.6.0.tgz -> vega-functions-5.18.0.tgz -> ❌ vega-selections-5.6.0.tgz (Vulnerable Library) |
High |
8.1 | Transitive vega-selections-5.6.0.tgz |
vega-5.33.0.tgz | Transitive vega-selections - 5.6.3,vega-selections - 6.1.2 |
None |
|
CVE-2025-59840Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ vega-5.33.0.tgz (Vulnerable Library) |
High |
8.1 | Direct vega-5.33.0.tgz |
vega-5.33.0.tgz | vega-interpreter - 2.2.1,vega-interpreter - 1.2.1,vega-expression - 5.2.1,vega-expression - 6.1.0,vega - 6.2.0,vega - 6.2.0 | None |
|
CVE-2026-35525Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
High |
7.5 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | Upgrade to version liquidjs - 10.25.3 or greater | None |
|
CVE-2026-33895Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
|
CVE-2026-33894Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
|
CVE-2026-33891Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
|
CVE-2026-33287Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
High |
7.5 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | None |
|
|
CVE-2026-33285Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
High |
7.5 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | None |
|
|
CVE-2026-25639Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
High |
7.5 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | https://github.com/axios/axios.git - v1.13.5 | None |
|
CVE-2025-66031Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | node-forge - 1.3.2 | None |
|
CVE-2025-65945Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> google-auth-library-9.10.0.tgz (Root Library) -> ❌ jws-4.0.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive jws-4.0.0.tgz |
google-auth-library-9.10.0.tgz | Transitive jws - 3.2.3,jws - 4.0.1 |
None |
|
CVE-2025-65945Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> google-vertexai-0.2.18.tgz (Root Library) -> google-gauth-0.2.18.tgz -> google-auth-library-10.3.0.tgz -> ❌ jws-4.0.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive jws-4.0.0.tgz |
google-vertexai-0.2.18.tgz | Transitive jws - 3.2.3,jws - 4.0.1 |
None |
|
CVE-2025-65945Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> jsonwebtoken-9.0.2.tgz (Root Library) -> ❌ jws-3.2.2.tgz (Vulnerable Library) |
High |
7.5 | Transitive jws-3.2.2.tgz |
jsonwebtoken-9.0.2.tgz | Transitive jws - 3.2.3,jws - 4.0.1 |
None |
|
CVE-2025-14874Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ nodemailer-7.0.9.tgz (Vulnerable Library) |
High |
7.5 | Direct nodemailer-7.0.9.tgz |
nodemailer-7.0.9.tgz | 7.0.11 | None |
|
CVE-2026-33896Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.4 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
|
CVE-2025-66648Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> vega-5.33.0.tgz (Root Library) -> ❌ vega-functions-5.18.0.tgz (Vulnerable Library) |
High |
7.2 | Transitive vega-functions-5.18.0.tgz |
vega-5.33.0.tgz | Transitive vega-functions - 6.1.1 |
None |
|
CVE-2026-39865Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
 Medium |
5.9 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | Upgrade to version axios - 1.13.2 or greater | None |
|
CVE-2026-39859Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
Medium |
5.3 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | Upgrade to version liquidjs - 10.25.5 or greater | None |
|
CVE-2026-39412Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
Medium |
5.3 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | Upgrade to version liquidjs - 10.25.4 or greater | None |
|
CVE-2026-24001Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> unidiff-1.0.4.tgz (Root Library) -> ❌ diff-5.2.0.tgz (Vulnerable Library) |
Medium |
5.3 | Transitive diff-5.2.0.tgz |
unidiff-1.0.4.tgz | Transitive https://github.com/kpdecker/jsdiff.git - v4.0.4,https://github.com/kpdecker/jsdiff.git - v5.2.2,https://github.com/kpdecker/jsdiff.git - v8.0.3 |
None |
|
CVE-2025-66030Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
Medium |
5.3 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | node-forge - 1.3.2 | None |
|
CVE-2024-53382Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> eui-107.0.1.tgz (Root Library) -> refractor-3.6.0.tgz -> ❌ prismjs-1.27.0.tgz (Vulnerable Library) |
Medium |
4.9 | Transitive prismjs-1.27.0.tgz |
eui-107.0.1.tgz | Transitive 1.30.0 |
None |
|
CVE-2026-1163Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ jquery-3.7.1.tgz (Vulnerable Library) |
Medium |
4.1 | Direct jquery-3.7.1.tgz |
jquery-3.7.1.tgz | None |
|
|
CVE-2026-34166Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
 Low |
3.7 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | Upgrade to version liquidjs - 10.25.3 or greater | None |
|
CVE-2025-48985Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ ai-4.3.19.tgz (Vulnerable Library) |
Low |
3.7 | Direct ai-4.3.19.tgz |
ai-4.3.19.tgz | https://github.com/vercel/ai.git - ai@5.0.52 | None |
|
CVE-2025-69873Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> ❌ ajv-6.12.6.tgz (Vulnerable Library) |
Low |
2.9 | Transitive ajv-6.12.6.tgz |
sdk-1.13.2.tgz | Transitive ajv - 8.18.0 |
None |
|
CVE-2026-40175Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
Critical |
10.0 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version axios - 0.31.0 or greater |
None |
|
CVE-2025-62718Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
Critical |
9.9 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version axios - 0.31.0 or greater |
None |
|
CVE-2026-33937Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ handlebars-4.7.8.tgz (Vulnerable Library) |
Critical |
9.8 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None |
|
CVE-2026-1615Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ jsonpath-1.1.1.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive jsonpath-1.1.1.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version jsonpath - 1.3.0 or greater |
None |
|
CVE-2025-12735Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ expr-eval-2.0.2.tgz (Vulnerable Library) |
Critical |
9.8 | Direct expr-eval-2.0.2.tgz |
expr-eval-2.0.2.tgz | expr-eval-fork - 3.0.0,expr-eval-fork - 3.0.1 | None |
|
CVE-2026-25896Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
Critical |
9.3 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive https://github.com/naturalintelligence/fast-xml-parser.git - v5.3.5 |
None |
|
CVE-2026-25896Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
Critical |
9.3 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive https://github.com/naturalintelligence/fast-xml-parser.git - v5.3.5 |
None |
|
CVE-2026-25896Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> aws-0.1.15.tgz (Root Library) -> client-kendra-3.879.0.tgz -> core-3.879.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
Critical |
9.3 | Transitive fast-xml-parser-5.2.5.tgz |
aws-0.1.15.tgz | Transitive https://github.com/naturalintelligence/fast-xml-parser.git - v5.3.5 |
None |
|
CVE-2025-68665Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ langchain-0.3.35.tgz (Vulnerable Library) |
High |
8.6 | Direct langchain-0.3.35.tgz |
langchain-0.3.35.tgz | langchain - 0.3.37,@langchain/core - 1.1.8,langchain - 1.2.3,@langchain/core - 0.3.80 | None |
|
CVE-2025-68665Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ core-0.3.78.tgz (Vulnerable Library) |
High |
8.6 | Direct core-0.3.78.tgz |
core-0.3.78.tgz | langchain - 0.3.37,@langchain/core - 1.1.8,langchain - 1.2.3,@langchain/core - 0.3.80 | None |
|
CVE-2026-33941Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ handlebars-4.7.8.tgz (Vulnerable Library) |
High |
8.2 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None |
|
CVE-2026-4800Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> formik-2.4.6.tgz (Root Library) -> ❌ lodash-es-4.17.21.tgz (Vulnerable Library) |
High |
8.1 | Transitive lodash-es-4.17.21.tgz |
formik-2.4.6.tgz | Transitive Upgrade to version lodash-amd - 4.18.0 or greater |
None |
|
CVE-2026-33940Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ handlebars-4.7.8.tgz (Vulnerable Library) |
High |
8.1 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None |
|
CVE-2026-33938Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ handlebars-4.7.8.tgz (Vulnerable Library) |
High |
8.1 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None |
|
CVE-2025-68154Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> opentelemetry-node-1.2.0.tgz (Root Library) -> host-metrics-0.36.0.tgz -> ❌ systeminformation-5.23.8.tgz (Vulnerable Library) |
High |
8.1 | Transitive systeminformation-5.23.8.tgz |
opentelemetry-node-1.2.0.tgz | Transitive systeminformation - 5.27.14 |
None |
|
WS-2026-0003Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> on-finished-2.4.1.tgz -> ❌ ee-first-1.1.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive ee-first-1.1.1.tgz |
sdk-1.13.2.tgz | Transitive https://github.com/virtio-win/kvm-guest-drivers-windows.git - mm316 |
None |
|
CVE-2026-4926Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> oas-28.1.0.tgz (Root Library) -> ❌ path-to-regexp-8.2.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive path-to-regexp-8.2.0.tgz |
oas-28.1.0.tgz | Transitive Upgrade to version path-to-regexp - 8.4.0 or greater |
None |
|
CVE-2026-4926Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> router-2.1.0.tgz -> ❌ path-to-regexp-8.2.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive path-to-regexp-8.2.0.tgz |
sdk-1.13.2.tgz | Transitive Upgrade to version path-to-regexp - 8.4.0 or greater |
None |
|
CVE-2026-33939Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ handlebars-4.7.8.tgz (Vulnerable Library) |
High |
7.5 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None |
|
CVE-2026-33671Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> styled-components-5.3.11.tgz (Root Library) -> babel-plugin-styled-components-2.1.4.tgz -> ❌ picomatch-2.3.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive picomatch-2.3.1.tgz |
styled-components-5.3.11.tgz | Transitive Upgrade to version picomatch - 4.0.4 or greater |
None |
|
CVE-2026-33671Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> config-1.18.17.tgz -> globby-11.1.0.tgz -> fast-glob-3.3.2.tgz -> micromatch-4.0.8.tgz -> ❌ picomatch-2.3.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive picomatch-2.3.1.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version picomatch - 4.0.4 or greater |
None |
|
CVE-2026-33671Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> chokidar-3.6.0.tgz -> readdirp-3.6.0.tgz -> ❌ picomatch-2.3.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive picomatch-2.3.1.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version picomatch - 4.0.4 or greater |
None |
|
CVE-2026-33671Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> del-6.1.1.tgz (Root Library) -> globby-11.1.0.tgz -> fast-glob-3.3.3.tgz -> micromatch-4.0.8.tgz -> ❌ picomatch-2.3.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive picomatch-2.3.1.tgz |
del-6.1.1.tgz | Transitive Upgrade to version picomatch - 4.0.4 or greater |
None |
|
CVE-2026-33036Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.6 or greater |
None |
|
CVE-2026-33036Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.6 or greater |
None |
|
CVE-2026-33036Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> aws-0.1.15.tgz (Root Library) -> client-kendra-3.879.0.tgz -> core-3.879.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-5.2.5.tgz |
aws-0.1.15.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.6 or greater |
None |
|
CVE-2026-26996Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> core-1.20.4.tgz -> ejs-3.1.10.tgz -> jake-10.9.2.tgz -> filelist-1.0.4.tgz -> ❌ minimatch-5.1.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-5.1.6.tgz |
bump-cli-2.8.4.tgz | Transitive 10.2.1 |
None |
|
CVE-2026-26996Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> openapi-core-1.34.5.tgz -> ❌ minimatch-5.1.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-5.1.6.tgz |
cli-1.34.5.tgz | Transitive 10.2.1 |
None |
|
CVE-2026-26996Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> tar-7.4.3.tgz (Root Library) -> minizlib-3.0.1.tgz -> rimraf-5.0.10.tgz -> glob-10.4.5.tgz -> ❌ minimatch-9.0.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-9.0.5.tgz |
tar-7.4.3.tgz | Transitive 10.2.1 |
None |
|
CVE-2026-26996Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> readdir-glob-1.1.3.tgz -> ❌ minimatch-5.1.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-5.1.6.tgz |
archiver-7.0.1.tgz | Transitive 10.2.1 |
None |
|
CVE-2026-26996Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> archiver-utils-5.0.2.tgz -> glob-10.4.5.tgz -> ❌ minimatch-9.0.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-9.0.5.tgz |
archiver-7.0.1.tgz | Transitive 10.2.1 |
None |
|
CVE-2026-26278Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive 5.3.6 |
None |
|
CVE-2026-26278Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive 5.3.6 |
None |
|
CVE-2026-26278Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> aws-0.1.15.tgz (Root Library) -> client-kendra-3.879.0.tgz -> core-3.879.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-5.2.5.tgz |
aws-0.1.15.tgz | Transitive 5.3.6 |
None |
|
CVE-2026-25639Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
High |
7.5 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive https://github.com/axios/axios.git - v1.13.5 |
None |
|
CVE-2026-0621Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ sdk-1.13.2.tgz (Vulnerable Library) |
High |
7.5 | Direct sdk-1.13.2.tgz |
sdk-1.13.2.tgz | @modelcontextprotocol/sdk - 1.25.2 | None |
|
CVE-2025-64756Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> tar-7.4.3.tgz (Root Library) -> minizlib-3.0.1.tgz -> rimraf-5.0.10.tgz -> ❌ glob-10.4.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive glob-10.4.5.tgz |
tar-7.4.3.tgz | Transitive glob - 11.1.0,glob - 10.5.0 |
None |
|
CVE-2025-64756Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> archiver-utils-5.0.2.tgz -> ❌ glob-10.4.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive glob-10.4.5.tgz |
archiver-7.0.1.tgz | Transitive glob - 11.1.0,glob - 10.5.0 |
None |
|
CVE-2025-58754Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
High |
7.5 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive 1.12.0 |
None |
|
CVE-2024-21538Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> core-1.20.4.tgz -> password-prompt-1.1.3.tgz -> ❌ cross-spawn-7.0.3.tgz (Vulnerable Library) |
High |
7.5 | Transitive cross-spawn-7.0.3.tgz |
bump-cli-2.8.4.tgz | Transitive https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,org.webjars.npm:cross-spawn:6.0.6 |
None |
|
CVE-2025-13204Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ expr-eval-2.0.2.tgz (Vulnerable Library) |
High |
7.3 | Direct expr-eval-2.0.2.tgz |
expr-eval-2.0.2.tgz | None |
|
|
CVE-2026-33750Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> core-1.20.4.tgz -> ejs-3.1.10.tgz -> jake-10.9.2.tgz -> filelist-1.0.4.tgz -> minimatch-5.1.6.tgz -> ❌ brace-expansion-2.0.1.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-2.0.1.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
|
CVE-2026-33750Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> openapi-core-1.34.5.tgz -> minimatch-5.1.6.tgz -> ❌ brace-expansion-2.0.1.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-2.0.1.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
|
CVE-2026-33750Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> glob-7.2.3.tgz -> minimatch-3.1.2.tgz -> ❌ brace-expansion-1.1.11.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-1.1.11.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
|
CVE-2026-33750Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> del-6.1.1.tgz (Root Library) -> rimraf-3.0.2.tgz -> glob-7.2.3.tgz -> minimatch-3.1.2.tgz -> ❌ brace-expansion-1.1.12.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-1.1.12.tgz |
del-6.1.1.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
|
CVE-2026-33750Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> archiver-utils-5.0.2.tgz -> glob-10.4.5.tgz -> minimatch-9.0.5.tgz -> ❌ brace-expansion-2.0.2.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-2.0.2.tgz |
archiver-7.0.1.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
|
Base branch total remaining vulnerabilities: 0
Base branch commit: 43796fdf47894730b90fa7a365e8711fd0b2f54b
Total libraries scanned: 3093
Scan token: ecdda2255a2c427093944afbe39b6900