📂 Vulnerable Library - webpack-plugin-injector-1.0.6.tgz
Injects Shopware Plugins into a Webpack config
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2022-37601 |
🟣 Critical |
9.8 |
Not Defined |
20.1% |
loader-utils-1.4.0.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2022-3517 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-37599 |
🔴 High |
7.5 |
Not Defined |
4.2% |
loader-utils-1.4.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-37603 |
🔴 High |
7.5 |
Not Defined |
1.3000001% |
loader-utils-1.4.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2026-26996 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2026-27903 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27904 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2024-43788 |
🟠 Medium |
6.4 |
Not Defined |
1.8% |
webpack-4.46.0.tgz |
Direct |
webpack - 5.94.0 |
✅ |
Unreachable |
| CVE-2026-34043 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
serialize-javascript-4.0.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2024-11831 |
🟠 Medium |
5.4 |
Not Defined |
1.1% |
serialize-javascript-4.0.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2020-28469 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
glob-parent-3.1.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- copy-webpack-plugin-6.4.1/dist/cjs.js (Extension)
- copy-webpack-plugin-6.4.1/dist/index.js (Extension)
- loader-utils-1.4.0/lib/index.js (Extension)
-> ❌ loader-utils-1.4.0/lib/parseQuery.js (Vulnerable Component)
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity:Not Defined
EPSS:20.1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.1,2.0.3
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- fork-ts-checker-webpack-plugin-6.5.3/lib/index.js (Extension)
- fork-ts-checker-webpack-plugin-6.5.3/lib/ForkTsCheckerWebpackPlugin.js (Extension)
- fork-ts-checker-webpack-plugin-6.5.3/lib/hooks/tapAfterEnvironmentToPatchWatching.js (Extension)
- fork-ts-checker-webpack-plugin-6.5.3/lib/watch/InclusiveNodeWatchFileSystem.js (Extension)
-> ❌ minimatch-3.0.4/minimatch.js (Vulnerable Component)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-37599
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- copy-webpack-plugin-6.4.1/dist/cjs.js (Extension)
- copy-webpack-plugin-6.4.1/dist/index.js (Extension)
- loader-utils-1.4.0/lib/index.js (Extension)
-> ❌ loader-utils-1.4.0/lib/isUrlRequest.js (Vulnerable Component)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: Oct 11, 2022 12:00 AM
URL: CVE-2022-37599
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.2%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: Oct 11, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1
🔴CVE-2022-37603
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- copy-webpack-plugin-6.4.1/dist/cjs.js (Extension)
- copy-webpack-plugin-6.4.1/dist/index.js (Extension)
- loader-utils-1.4.0/lib/index.js (Extension)
-> ❌ loader-utils-1.4.0/lib/interpolateName.js (Vulnerable Component)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: Oct 14, 2022 12:00 AM
URL: CVE-2022-37603
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: Oct 14, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1
🔴CVE-2026-26996
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v3.1.3
🔴CVE-2026-27904
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- builder-2.10.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🟠CVE-2024-43788
Vulnerable Library - webpack-4.46.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-4.46.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
❌ webpack-4.46.0.tgz (Vulnerable Library)
-
worker-loader-3.0.4.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
webpack-dev-server-3.11.3.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
copy-webpack-plugin-6.4.1.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
terser-webpack-plugin-4.2.3.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
ts-loader-8.4.0.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ webpack-4.46.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: Aug 27, 2024 05:07 PM
URL: CVE-2024-43788
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.8%
Score: 6.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: Aug 27, 2024 05:07 PM
Fix Resolution : webpack - 5.94.0
🟠CVE-2026-34043
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- copy-webpack-plugin-6.4.1/dist/cjs.js (Extension)
- copy-webpack-plugin-6.4.1/dist/index.js (Extension)
-> ❌ serialize-javascript-4.0.0/index.js (Vulnerable Component)
Vulnerability Details
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Publish Date: Mar 31, 2026 01:48 AM
URL: CVE-2026-34043
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: yahoo/serialize-javascript@f147e90
Release Date: Mar 28, 2026 09:06 AM
Fix Resolution : https://github.com/yahoo/serialize-javascript.git - v7.0.5
🟠CVE-2024-11831
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ serialize-javascript-4.0.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- copy-webpack-plugin-6.4.1/dist/cjs.js (Extension)
- copy-webpack-plugin-6.4.1/dist/index.js (Extension)
-> ❌ serialize-javascript-4.0.0/index.js (Vulnerable Component)
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: Feb 10, 2025 03:27 PM
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 5.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: Feb 10, 2025 03:27 PM
Fix Resolution : serialize-javascript - 6.0.2
🟠CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-dev-server-3.11.3.tgz (Root Library)
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- webpack-2.10.2.tgz
- webpack-4.41.2.tgz
- watchpack-1.6.0.tgz
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: Jun 03, 2021 03:15 PM
URL: CVE-2020-28469
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: Jun 03, 2021 03:15 PM
Fix Resolution : glob-parent - 5.1.2
📂 Vulnerable Library - webpack-plugin-injector-1.0.6.tgz
Injects Shopware Plugins into a Webpack config
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
Details
🟣CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity:Not Defined
EPSS:20.1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.1,2.0.3
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-37599
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: Oct 11, 2022 12:00 AM
URL: CVE-2022-37599
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.2%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: Oct 11, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1
🔴CVE-2022-37603
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: Oct 14, 2022 12:00 AM
URL: CVE-2022-37603
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: Oct 14, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,2.0.4,3.2.1
🔴CVE-2026-26996
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v8.0.6,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v3.1.3
🔴CVE-2026-27904
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /tests/e2e/package.json
Dependency Hierarchy:
twig-1.13.3.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
babel-jest-29.5.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🟠CVE-2024-43788
Vulnerable Library - webpack-4.46.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-4.46.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
❌ webpack-4.46.0.tgz (Vulnerable Library)
worker-loader-3.0.4.tgz (Root Library)
webpack-dev-server-3.11.3.tgz (Root Library)
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
copy-webpack-plugin-6.4.1.tgz (Root Library)
terser-webpack-plugin-4.2.3.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
ts-loader-8.4.0.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: Aug 27, 2024 05:07 PM
URL: CVE-2024-43788
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.8%
Score: 6.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: Aug 27, 2024 05:07 PM
Fix Resolution : webpack - 5.94.0
🟠CVE-2026-34043
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Publish Date: Mar 31, 2026 01:48 AM
URL: CVE-2026-34043
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: yahoo/serialize-javascript@f147e90
Release Date: Mar 28, 2026 09:06 AM
Fix Resolution : https://github.com/yahoo/serialize-javascript.git - v7.0.5
🟠CVE-2024-11831
Vulnerable Library - serialize-javascript-4.0.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Publish Date: Feb 10, 2025 03:27 PM
URL: CVE-2024-11831
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 5.4
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p7-773f-r4q5
Release Date: Feb 10, 2025 03:27 PM
Fix Resolution : serialize-javascript - 6.0.2
🟠CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-dev-server-3.11.3.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: Jun 03, 2021 03:15 PM
URL: CVE-2020-28469
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: Jun 03, 2021 03:15 PM
Fix Resolution : glob-parent - 5.1.2