📂 Vulnerable Library - twig-1.15.4.tgz
JS port of the Twig templating language.
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2026-32304 |
🟣 Critical |
9.8 |
Not Defined |
< 1% |
locutus-2.0.15.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2026-25521 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
locutus-2.0.15.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-29091 |
🔴 High |
8.1 |
Not Defined |
< 1% |
locutus-2.0.15.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-3517 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2026-26996 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27903 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27904 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-27789 |
🟠 Medium |
6.2 |
Not Defined |
< 1% |
runtime-7.21.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-33993 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
locutus-2.0.15.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣CVE-2026-32304
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- twig-1.15.4.tgz (Root Library)
- ❌ locutus-2.0.15.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Publish Date: Mar 12, 2026 09:24 PM
URL: CVE-2026-32304
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2026-25521
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- twig-1.15.4.tgz (Root Library)
- ❌ locutus-2.0.15.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Publish Date: Feb 04, 2026 09:20 PM
URL: CVE-2026-25521
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-rxrv-835q-v5mh
Release Date: Feb 04, 2026 09:20 PM
Fix Resolution : locutus - 2.0.39,https://github.com/locutusjs/locutus.git - v2.0.39
🔴CVE-2026-29091
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- twig-1.15.4.tgz (Root Library)
- ❌ locutus-2.0.15.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
Publish Date: Mar 06, 2026 05:48 PM
URL: CVE-2026-29091
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin: locutusjs/locutus@977a1fb
Release Date: Mar 06, 2026 05:48 PM
Fix Resolution : https://github.com/locutusjs/locutus.git - v3.0.0
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- fork-ts-checker-webpack-plugin-6.5.3/lib/index.js (Extension)
- fork-ts-checker-webpack-plugin-6.5.3/lib/ForkTsCheckerWebpackPlugin.js (Extension)
- fork-ts-checker-webpack-plugin-6.5.3/lib/hooks/tapAfterEnvironmentToPatchWatching.js (Extension)
- fork-ts-checker-webpack-plugin-6.5.3/lib/watch/InclusiveNodeWatchFileSystem.js (Extension)
-> ❌ minimatch-3.0.4/minimatch.js (Vulnerable Component)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-26996
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v3.1.3
🔴CVE-2026-27904
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🟠CVE-2025-27789
Vulnerable Library - runtime-7.21.0.tgz
babel's modular runtime helpers
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.21.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: Mar 11, 2025 07:09 PM
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: Mar 11, 2025 07:09 PM
Fix Resolution : @babel/runtime-corejs3 - 7.26.10,@babel/runtime - 8.0.0-alpha.17,@babel/helpers - 8.0.0-alpha.17,@babel/runtime-corejs3 - 8.0.0-alpha.17,https://github.com/babel/babel.git - v7.26.10,@babel/runtime-corejs2 - 8.0.0-alpha.17,@babel/runtime - 7.26.10,@babel/helpers - 7.26.10,@babel/runtime-corejs2 - 7.26.10
🟠CVE-2026-33993
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
- twig-1.15.4.tgz (Root Library)
- ❌ locutus-2.0.15.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the "unserialize()" function in "locutus/php/var/unserialize" assigns deserialized keys to plain objects via bracket notation without filtering the "proto" key. When a PHP serialized payload contains "proto" as an array or object key, JavaScript's "proto" setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in "parse_str" (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — "unserialize" is a different function with no mitigation applied. Version 3.0.25 patches the issue.
Publish Date: Mar 27, 2026 10:14 PM
URL: CVE-2026-33993
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: locutusjs/locutus@345a621
Release Date: Mar 27, 2026 10:14 PM
Fix Resolution : https://github.com/locutusjs/locutus.git - v3.0.25
📂 Vulnerable Library - twig-1.15.4.tgz
JS port of the Twig templating language.
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
Details
🟣CVE-2026-32304
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Publish Date: Mar 12, 2026 09:24 PM
URL: CVE-2026-32304
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2026-25521
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Publish Date: Feb 04, 2026 09:20 PM
URL: CVE-2026-25521
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-rxrv-835q-v5mh
Release Date: Feb 04, 2026 09:20 PM
Fix Resolution : locutus - 2.0.39,https://github.com/locutusjs/locutus.git - v2.0.39
🔴CVE-2026-29091
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
Publish Date: Mar 06, 2026 05:48 PM
URL: CVE-2026-29091
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin: locutusjs/locutus@977a1fb
Release Date: Mar 06, 2026 05:48 PM
Fix Resolution : https://github.com/locutusjs/locutus.git - v3.0.0
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-26996
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v3.1.3
🔴CVE-2026-27904
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🟠CVE-2025-27789
Vulnerable Library - runtime-7.21.0.tgz
babel's modular runtime helpers
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.21.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: Mar 11, 2025 07:09 PM
URL: CVE-2025-27789
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: Mar 11, 2025 07:09 PM
Fix Resolution : @babel/runtime-corejs3 - 7.26.10,@babel/runtime - 8.0.0-alpha.17,@babel/helpers - 8.0.0-alpha.17,@babel/runtime-corejs3 - 8.0.0-alpha.17,https://github.com/babel/babel.git - v7.26.10,@babel/runtime-corejs2 - 8.0.0-alpha.17,@babel/runtime - 7.26.10,@babel/helpers - 7.26.10,@babel/runtime-corejs2 - 7.26.10
🟠CVE-2026-33993
Vulnerable Library - locutus-2.0.15.tgz
Locutus other languages' standard libraries to JavaScript for fun and educational purposes
Library home page: https://registry.npmjs.org/locutus/-/locutus-2.0.15.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the "unserialize()" function in "locutus/php/var/unserialize" assigns deserialized keys to plain objects via bracket notation without filtering the "proto" key. When a PHP serialized payload contains "proto" as an array or object key, JavaScript's "proto" setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in "parse_str" (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — "unserialize" is a different function with no mitigation applied. Version 3.0.25 patches the issue.
Publish Date: Mar 27, 2026 10:14 PM
URL: CVE-2026-33993
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: locutusjs/locutus@345a621
Release Date: Mar 27, 2026 10:14 PM
Fix Resolution : https://github.com/locutusjs/locutus.git - v3.0.25