Skip to content

test-utils-1.3.6.tgz: 7 vulnerabilities (highest severity is: 8.1) [trunk] (reachable) #191

Open
Open
test-utils-1.3.6.tgz: 7 vulnerabilities (highest severity is: 8.1) [trunk] (reachable)#191
@renovate

Description

@renovate
renovate
bot
opened on Feb 25, 2026
📂 Vulnerable Library - test-utils-1.3.6.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2026-4800 🔴 High 8.1 Not Defined < 1% lodash-4.17.21.tgz Direct N/A Unreachable
CVE-2025-13465 🔴 High 7.2 Not Defined < 1% lodash-4.17.21.tgz Direct N/A Reachable
CVE-2026-2950 🟠 Medium 6.5 Not Defined < 1% lodash-4.17.21.tgz Direct lodash-es - 4.17.23,lodash - 4.17.23,lodash-amd - 4.17.23 Unreachable
CVE-2024-6783 🟠 Medium 4.8 Not Defined < 1% vue-2.7.14.tgz Direct no_fix Reachable
CVE-2024-6783 🟠 Medium 4.8 Not Defined < 1% vue-template-compiler-2.7.14.tgz Direct no_fix Unreachable
CVE-2024-9506 🟡 Low 3.7 Not Defined < 1% vue-2.7.14.tgz Direct vue - 3.0.0 Reachable
CVE-2024-9506 🟡 Low 3.7 Not Defined < 1% vue-template-compiler-2.7.14.tgz Direct vue - 3.0.0 Unreachable

Details

🔴CVE-2026-4800

Vulnerable Library - lodash-4.17.21.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-dev-server-3.11.3.tgz (Root Library)

    • portfinder-1.0.28.tgz
      • async-2.6.3.tgz
        • lodash-4.17.21.tgz (Vulnerable Library)

  • mocha-7.2.0.tgz (Root Library)

    • yargs-unparser-1.6.0.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • admin-extension-sdk-3.0.15.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)

    • last-call-webpack-plugin-3.0.0.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-merge-4.2.2.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • e2e-testsuite-platform-7.0.5.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cli-0.11.0.tgz (Root Library)

    • inquirer-6.5.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-plugin-injector-1.0.7.tgz (Root Library)

    • webpack-merge-4.2.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • cli-0.9.0.tgz (Root Library)

    • inquirer-6.5.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • admin-extension-sdk-3.0.13.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cypress-multi-reporters-1.6.2.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cypress-3.1.2.tgz (Root Library)

    • cypress-12.17.4.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-bundle-analyzer-3.9.0.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • lighthouse-9.6.8.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Publish Date: Mar 31, 2026 07:25 PM

URL: CVE-2026-4800

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.1

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2025-13465

Vulnerable Library - lodash-4.17.21.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-dev-server-3.11.3.tgz (Root Library)

    • portfinder-1.0.28.tgz
      • async-2.6.3.tgz
        • lodash-4.17.21.tgz (Vulnerable Library)

  • mocha-7.2.0.tgz (Root Library)

    • yargs-unparser-1.6.0.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • admin-extension-sdk-3.0.15.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)

    • last-call-webpack-plugin-3.0.0.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-merge-4.2.2.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • e2e-testsuite-platform-7.0.5.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cli-0.11.0.tgz (Root Library)

    • inquirer-6.5.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-plugin-injector-1.0.7.tgz (Root Library)

    • webpack-merge-4.2.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • cli-0.9.0.tgz (Root Library)

    • inquirer-6.5.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • admin-extension-sdk-3.0.13.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cypress-multi-reporters-1.6.2.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cypress-3.1.2.tgz (Root Library)

    • cypress-12.17.4.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-bundle-analyzer-3.9.0.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • lighthouse-9.6.8.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- administration-1.0.0/src/module/sw-settings/component/sw-system-config/sw-system-config.spec.vue3.js (Application)
    -> ❌ lodash-4.17.21/lodash.js (Vulnerable Component)

Vulnerability Details

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23

Publish Date: Jan 21, 2026 07:05 PM

URL: CVE-2025-13465

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.2

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠CVE-2026-2950

Vulnerable Library - lodash-4.17.21.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-dev-server-3.11.3.tgz (Root Library)

    • portfinder-1.0.28.tgz
      • async-2.6.3.tgz
        • lodash-4.17.21.tgz (Vulnerable Library)

  • mocha-7.2.0.tgz (Root Library)

    • yargs-unparser-1.6.0.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • admin-extension-sdk-3.0.15.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)

    • last-call-webpack-plugin-3.0.0.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-merge-4.2.2.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • e2e-testsuite-platform-7.0.5.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cli-0.11.0.tgz (Root Library)

    • inquirer-6.5.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-plugin-injector-1.0.7.tgz (Root Library)

    • webpack-merge-4.2.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • cli-0.9.0.tgz (Root Library)

    • inquirer-6.5.2.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • admin-extension-sdk-3.0.13.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cypress-multi-reporters-1.6.2.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • cypress-3.1.2.tgz (Root Library)

    • cypress-12.17.4.tgz
      • lodash-4.17.21.tgz (Vulnerable Library)

  • webpack-bundle-analyzer-3.9.0.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

  • lighthouse-9.6.8.tgz (Root Library)

    • lodash-4.17.21.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.

Publish Date: Mar 31, 2026 07:18 PM

URL: CVE-2026-2950

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-xxjr-mmjv-4gpg

Release Date: Mar 31, 2026 07:18 PM

Fix Resolution : lodash-es - 4.17.23,lodash - 4.17.23,lodash-amd - 4.17.23

🟠CVE-2024-6783

Vulnerable Library - vue-2.7.14.tgz

Reactive, component-oriented view layer for modern web interfaces.

Library home page: https://registry.npmjs.org/vue/-/vue-2.7.14.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • vuex-3.6.2.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vue-3.3.4.tgz (Root Library)

    • server-renderer-3.3.4.tgz
      • vue-2.7.14.tgz (Vulnerable Library)

  • vue-2.7.14.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vue-router-4.2.2.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vue-i18n-9.2.2.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • compat-3.3.4.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vuex-4.1.0.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • test-utils-2.3.2.tgz (Root Library)

    • server-renderer-3.3.4.tgz
      • vue-2.7.14.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- administration-1.0.0/src/viewRenderer.ts (Application)
    -> ❌ vue-2.7.14/dist/vue.runtime.common.js (Vulnerable Component)

Vulnerability Details

A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as "Object.prototype.staticClass" or "Object.prototype.staticStyle" to execute arbitrary JavaScript code.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jul 23, 2024 03:05 PM

URL: CVE-2024-6783

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 4.8

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6783

Release Date: Jul 23, 2024 03:05 PM

Fix Resolution : no_fix

🟠CVE-2024-6783

Vulnerable Library - vue-template-compiler-2.7.14.tgz

template compiler for Vue 2.0

Library home page: https://registry.npmjs.org/vue-template-compiler/-/vue-template-compiler-2.7.14.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • vue-template-compiler-2.7.14.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • vue-template-compiler-2.7.14.tgz (Vulnerable Library)

  • fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)

    • vue-template-compiler-2.7.14.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as "Object.prototype.staticClass" or "Object.prototype.staticStyle" to execute arbitrary JavaScript code.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jul 23, 2024 03:05 PM

URL: CVE-2024-6783

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 4.8

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6783

Release Date: Jul 23, 2024 03:05 PM

Fix Resolution : no_fix

🟡CVE-2024-9506

Vulnerable Library - vue-2.7.14.tgz

Reactive, component-oriented view layer for modern web interfaces.

Library home page: https://registry.npmjs.org/vue/-/vue-2.7.14.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • vuex-3.6.2.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vue-3.3.4.tgz (Root Library)

    • server-renderer-3.3.4.tgz
      • vue-2.7.14.tgz (Vulnerable Library)

  • vue-2.7.14.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vue-router-4.2.2.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vue-i18n-9.2.2.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • compat-3.3.4.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • vuex-4.1.0.tgz (Root Library)

    • vue-2.7.14.tgz (Vulnerable Library)

  • test-utils-2.3.2.tgz (Root Library)

    • server-renderer-3.3.4.tgz
      • vue-2.7.14.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- administration-1.0.0/src/viewRenderer.ts (Application)
    - vue-2.7.14/dist/vue.runtime.common.js (Extension)
        -> ❌ vue-2.7.14/dist/vue.runtime.common.prod.js (Vulnerable Component)

Vulnerability Details

Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability.

Publish Date: Oct 15, 2024 03:40 PM

URL: CVE-2024-9506

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 3.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-5j4c-8p2g-v4jx

Release Date: Oct 15, 2024 03:40 PM

Fix Resolution : vue - 3.0.0

🟡CVE-2024-9506

Vulnerable Library - vue-template-compiler-2.7.14.tgz

template compiler for Vue 2.0

Library home page: https://registry.npmjs.org/vue-template-compiler/-/vue-template-compiler-2.7.14.tgz

Path to dependency file: /src/Administration/Resources/app/administration/package.json

Dependency Hierarchy:

  • vue-template-compiler-2.7.14.tgz (Vulnerable Library)

  • test-utils-1.3.6.tgz (Root Library)

    • vue-template-compiler-2.7.14.tgz (Vulnerable Library)

  • fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)

    • vue-template-compiler-2.7.14.tgz (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability.

Publish Date: Oct 15, 2024 03:40 PM

URL: CVE-2024-9506

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 3.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-5j4c-8p2g-v4jx

Release Date: Oct 15, 2024 03:40 PM

Fix Resolution : vue - 3.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions