draft-js-markdown-plugin-1.4.4.tgz: 2 vulnerabilities (highest severity is: 7.5) [alpha] (unreachable)

[renovate]

📂 Vulnerable Library - draft-js-markdown-plugin-1.4.4.tgz

A DraftJS plugin for supporting Markdown syntax shortcuts, fork of draft-js-markdown-shortcuts-plugin

Path to dependency file: /api/package.json

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2026-29063	🔴 High	7.5	Not Defined	< 1%	immutable-3.8.2.tgz	Transitive	N/A	❌	Unreachable
CVE-2026-29063	🔴 High	7.5	Not Defined	< 1%	immutable-3.7.6.tgz	Transitive	N/A	❌	Unreachable

Details

🔴CVE-2026-29063

Vulnerable Library - immutable-3.8.2.tgz

Immutable Data Collections

Library home page: https://registry.npmjs.org/immutable/-/immutable-3.8.2.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

• draft-js-markdown-plugin-1.4.4.tgz (Root Library)

  • draft-js-prism-plugin-0.1.3.tgz
    • draft-js-prism-1.0.6.tgz
      • ❌ immutable-3.8.2.tgz (Vulnerable Library)

• draft-js-code-editor-plugin-0.2.1.tgz (Root Library)

  • draft-js-code-0.3.0.tgz
    • ❌ immutable-3.8.2.tgz (Vulnerable Library)

• draft-js-prism-plugin-0.1.1.tgz (Root Library)

  • draft-js-prism-1.0.3.tgz
    • ❌ immutable-3.8.2.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Publish Date: Mar 06, 2026 06:25 PM

URL: CVE-2026-29063

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-wf6x-7x77-mvgw

Release Date: Mar 06, 2026 06:25 PM

Fix Resolution : https://github.com/immutable-js/immutable-js.git - v3.8.3,https://github.com/immutable-js/immutable-js.git - v4.3.7,https://github.com/immutable-js/immutable-js.git - v5.1.5

🔴CVE-2026-29063

Vulnerable Library - immutable-3.7.6.tgz

Immutable Data Collections

Library home page: https://registry.npmjs.org/immutable/-/immutable-3.7.6.tgz

Path to dependency file: /api/package.json

Dependency Hierarchy:

• draft-js-markdown-plugin-1.4.4.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-drag-n-drop-plugin-2.0.0-rc9.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-linkify-plugin-2.0.1.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-code-editor-plugin-0.2.1.tgz (Root Library)

  • draft-js-0.10.5.tgz
    • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-plugins-editor-2.1.1.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-focus-plugin-2.0.0-rc2.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-image-plugin-2.0.0-rc8.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

• draft-js-0.10.5.tgz (Root Library)

  • ❌ immutable-3.7.6.tgz (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Publish Date: Mar 06, 2026 06:25 PM

URL: CVE-2026-29063

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-wf6x-7x77-mvgw

Release Date: Mar 06, 2026 06:25 PM

Fix Resolution : https://github.com/immutable-js/immutable-js.git - v3.8.3,https://github.com/immutable-js/immutable-js.git - v4.3.7,https://github.com/immutable-js/immutable-js.git - v5.1.5