📂 Vulnerable Library - ui-library-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /apps/ui-library/package.json
Partial results (22 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2025-62718 |
🟣 Critical |
9.9 |
N/A |
N/A |
axios-1.12.2.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2025-61686 |
🟣 Critical |
9.1 |
Not Defined |
< 1% |
node-7.4.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-21884 |
🔴 High |
8.2 |
Not Defined |
< 1% |
react-router-7.5.3.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2026-4800 |
🔴 High |
8.1 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-22029 |
🔴 High |
8.0 |
Not Defined |
< 1% |
react-router-7.5.3.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-59057 |
🔴 High |
7.6 |
Not Defined |
< 1% |
react-router-7.5.3.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-64756 |
🔴 High |
7.5 |
Not Defined |
< 1% |
glob-10.4.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-66020 |
🔴 High |
7.5 |
Not Defined |
< 1% |
valibot-0.41.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-1526 |
🔴 High |
7.5 |
Not Defined |
< 1% |
undici-6.21.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-1528 |
🔴 High |
7.5 |
Not Defined |
< 1% |
undici-6.21.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-2229 |
🔴 High |
7.5 |
Not Defined |
< 1% |
undici-6.21.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-25639 |
🔴 High |
7.5 |
Not Defined |
< 1% |
axios-1.12.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-26996 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-9.0.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27903 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-9.0.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27904 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-9.0.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-39363 |
🔴 High |
7.5 |
N/A |
N/A |
vite-7.1.11.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2026-39364 |
🔴 High |
7.5 |
Not Defined |
< 1% |
vite-7.1.11.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-13465 |
🔴 High |
7.2 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-68470 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
react-router-7.5.3.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2026-1525 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
undici-6.21.2.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-22030 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
react-router-7.5.3.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2026-29057 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣CVE-2025-62718
Vulnerable Library - axios-1.12.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.12.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- ❌ axios-1.12.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Publish Date: Apr 09, 2026 02:31 PM
URL: CVE-2025-62718
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-61686
Vulnerable Library - node-7.4.0.tgz
Node.js platform abstractions for React Router
Library home page: https://registry.npmjs.org/@react-router/node/-/node-7.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ node-7.4.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Publish Date: Jan 10, 2026 02:41 AM
URL: CVE-2025-61686
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.1
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-9583-h5hc-x8cw
Release Date: Jan 08, 2026 10:04 PM
Fix Resolution : @remix-run/node - 2.17.2,https://github.com/remix-run/react-router.git - react-router@7.9.4,@react-router/node - 7.9.4,react-router - no_fix,@remix-run/deno - 2.17.2
🔴CVE-2026-21884
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ react-router-7.5.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- refine-user-management-0.1.0/src/App.tsx (Application)
-> ❌ react-router-7.5.3/dist/development/index.js (Vulnerable Component)
Vulnerability Details
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Publish Date: Jan 10, 2026 02:41 AM
URL: CVE-2026-21884
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-8v8x-cx79-35w7
Release Date: Jan 09, 2026 11:23 AM
Fix Resolution : @remix-run/react - 2.17.3,https://github.com/remix-run/react-router.git - create-react-router@7.12.0,react-router - 7.12.0
🔴CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-22029
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ react-router-7.5.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- refine-user-management-0.1.0/src/App.tsx (Application)
-> ❌ react-router-7.5.3/dist/development/index.js (Vulnerable Component)
Vulnerability Details
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Publish Date: Jan 10, 2026 02:42 AM
URL: CVE-2026-22029
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.0
Suggested Fix
Type: Upgrade version
Origin: GHSA-2w69-qvjg-hvjx
Release Date: Jan 08, 2026 10:01 PM
Fix Resolution : https://github.com/remix-run/react-router.git - react-router@7.12.0,@remix-run/router - 1.23.2,https://github.com/remix-run/react-router.git - @remix-run/router@1.23.2,react-router - 7.12.0
🔴CVE-2025-59057
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ react-router-7.5.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- refine-user-management-0.1.0/src/App.tsx (Application)
-> ❌ react-router-7.5.3/dist/development/index.js (Vulnerable Component)
Vulnerability Details
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Publish Date: Jan 10, 2026 02:40 AM
URL: CVE-2025-59057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.6
Suggested Fix
Type: Upgrade version
Origin: GHSA-3cgp-3xvw-98x8
Release Date: Jan 09, 2026 11:24 AM
Fix Resolution : react-router - 7.9.0,https://github.com/remix-run/react-router.git - react-router@7.9.0
🔴CVE-2025-64756
Vulnerable Library - glob-10.4.5.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- package-json-4.0.1.tgz
- ❌ glob-10.4.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ glob-10.4.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- ❌ glob-10.4.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 17, 2025 05:29 PM
URL: CVE-2025-64756
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: Nov 17, 2025 05:29 PM
Fix Resolution : https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
🔴CVE-2025-66020
Vulnerable Library - valibot-0.41.0.tgz
The modular and type safe schema library for validating structural data
Library home page: https://registry.npmjs.org/valibot/-/valibot-0.41.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ valibot-0.41.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0.
Publish Date: Nov 26, 2025 01:49 AM
URL: CVE-2025-66020
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: open-circle/valibot@cfb799d
Release Date: Nov 26, 2025 01:49 AM
Fix Resolution : https://github.com/open-circle/valibot.git - v1.2.0
🔴CVE-2026-1526
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- node-7.4.0.tgz
- ❌ undici-6.21.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: Mar 12, 2026 08:08 PM
URL: CVE-2026-1526
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-1528
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- node-7.4.0.tgz
- ❌ undici-6.21.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: Mar 12, 2026 08:21 PM
URL: CVE-2026-1528
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-2229
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- node-7.4.0.tgz
- ❌ undici-6.21.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Publish Date: Mar 12, 2026 08:27 PM
URL: CVE-2026-2229
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-25639
Vulnerable Library - axios-1.12.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.12.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- ❌ axios-1.12.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 09, 2026 08:11 PM
URL: CVE-2026-25639
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: axios/axios@28c7215
Release Date: Feb 09, 2026 08:11 PM
Fix Resolution : https://github.com/axios/axios.git - v1.13.5
🔴CVE-2026-26996
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- ts-morph-22.0.0.tgz
- common-0.23.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- ts-morph-22.0.0.tgz
- common-0.23.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6
🔴CVE-2026-27904
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- ts-morph-22.0.0.tgz
- common-0.23.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🔴CVE-2026-39363
Vulnerable Library - vite-7.1.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.11.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- vitest-3.2.4.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- plugin-react-4.3.4.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- devtools-2.6.4.tgz
- devtools-core-7.7.7.tgz
- vite-hot-client-2.1.0.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- react-user-management-0.0.0/vite.config.js (Application)
- vite-7.1.11/dist/node/index.js (Extension)
-> ❌ vite-7.1.11/dist/node/chunks/config.js (Vulnerable Component)
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: Apr 07, 2026 07:10 PM
URL: CVE-2026-39363
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: Apr 07, 2026 07:10 PM
Fix Resolution : vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5
🔴CVE-2026-39364
Vulnerable Library - vite-7.1.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.11.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- vitest-3.2.4.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- plugin-react-4.3.4.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- devtools-2.6.4.tgz
- devtools-core-7.7.7.tgz
- vite-hot-client-2.1.0.tgz
- ❌ vite-7.1.11.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- react-user-management-0.0.0/vite.config.js (Application)
- vite-7.1.11/dist/node/index.js (Extension)
-> ❌ vite-7.1.11/dist/node/chunks/config.js (Vulnerable Component)
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Publish Date: Apr 07, 2026 07:12 PM
URL: CVE-2026-39364
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-v2wj-q39q-566r
Release Date: Apr 07, 2026 07:12 PM
Fix Resolution : https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v8.0.5
🔴CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-68470
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ react-router-7.5.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- refine-user-management-0.1.0/src/App.tsx (Application)
-> ❌ react-router-7.5.3/dist/development/index.js (Vulnerable Component)
Vulnerability Details
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Publish Date: Jan 10, 2026 02:39 AM
URL: CVE-2025-68470
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jcx-v3wj-wh4m
Release Date: Jan 08, 2026 10:04 PM
Fix Resolution : https://github.com/remix-run/react-router.git - create-react-router@6.30.2,https://github.com/remix-run/react-router.git - create-react-router@7.9.6,react-router - 7.9.6,react-router - 6.30.2
🟠CVE-2026-1525
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- node-7.4.0.tgz
- ❌ undici-6.21.2.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without case-normalization
Potential consequences:
- Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Publish Date: Mar 12, 2026 07:56 PM
URL: CVE-2026-1525
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-22030
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ react-router-7.5.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- refine-user-management-0.1.0/src/App.tsx (Application)
-> ❌ react-router-7.5.3/dist/development/index.js (Vulnerable Component)
Vulnerability Details
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Publish Date: Jan 10, 2026 02:42 AM
URL: CVE-2026-22030
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
📂 Vulnerable Library - ui-library-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /apps/ui-library/package.json
Findings
Details
🟣CVE-2025-62718
Vulnerable Library - axios-1.12.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.12.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Publish Date: Apr 09, 2026 02:31 PM
URL: CVE-2025-62718
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.9
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2025-61686
Vulnerable Library - node-7.4.0.tgz
Node.js platform abstractions for React Router
Library home page: https://registry.npmjs.org/@react-router/node/-/node-7.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Publish Date: Jan 10, 2026 02:41 AM
URL: CVE-2025-61686
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.1
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-9583-h5hc-x8cw
Release Date: Jan 08, 2026 10:04 PM
Fix Resolution : @remix-run/node - 2.17.2,https://github.com/remix-run/react-router.git - react-router@7.9.4,@react-router/node - 7.9.4,react-router - no_fix,@remix-run/deno - 2.17.2
🔴CVE-2026-21884
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Publish Date: Jan 10, 2026 02:41 AM
URL: CVE-2026-21884
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-8v8x-cx79-35w7
Release Date: Jan 09, 2026 11:23 AM
Fix Resolution : @remix-run/react - 2.17.3,https://github.com/remix-run/react-router.git - create-react-router@7.12.0,react-router - 7.12.0
🔴CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-22029
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Publish Date: Jan 10, 2026 02:42 AM
URL: CVE-2026-22029
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.0
Suggested Fix
Type: Upgrade version
Origin: GHSA-2w69-qvjg-hvjx
Release Date: Jan 08, 2026 10:01 PM
Fix Resolution : https://github.com/remix-run/react-router.git - react-router@7.12.0,@remix-run/router - 1.23.2,https://github.com/remix-run/react-router.git - @remix-run/router@1.23.2,react-router - 7.12.0
🔴CVE-2025-59057
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Publish Date: Jan 10, 2026 02:40 AM
URL: CVE-2025-59057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.6
Suggested Fix
Type: Upgrade version
Origin: GHSA-3cgp-3xvw-98x8
Release Date: Jan 09, 2026 11:24 AM
Fix Resolution : react-router - 7.9.0,https://github.com/remix-run/react-router.git - react-router@7.9.0
🔴CVE-2025-64756
Vulnerable Library - glob-10.4.5.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 17, 2025 05:29 PM
URL: CVE-2025-64756
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: Nov 17, 2025 05:29 PM
Fix Resolution : https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
🔴CVE-2025-66020
Vulnerable Library - valibot-0.41.0.tgz
The modular and type safe schema library for validating structural data
Library home page: https://registry.npmjs.org/valibot/-/valibot-0.41.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0.
Publish Date: Nov 26, 2025 01:49 AM
URL: CVE-2025-66020
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: open-circle/valibot@cfb799d
Release Date: Nov 26, 2025 01:49 AM
Fix Resolution : https://github.com/open-circle/valibot.git - v1.2.0
🔴CVE-2026-1526
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: Mar 12, 2026 08:08 PM
URL: CVE-2026-1526
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-1528
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: Mar 12, 2026 08:21 PM
URL: CVE-2026-1528
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-2229
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
Publish Date: Mar 12, 2026 08:27 PM
URL: CVE-2026-2229
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-25639
Vulnerable Library - axios-1.12.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-1.12.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 09, 2026 08:11 PM
URL: CVE-2026-25639
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: axios/axios@28c7215
Release Date: Feb 09, 2026 08:11 PM
Fix Resolution : https://github.com/axios/axios.git - v1.13.5
🔴CVE-2026-26996
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6
🔴CVE-2026-27904
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🔴CVE-2026-39363
Vulnerable Library - vite-7.1.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.11.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: Apr 07, 2026 07:10 PM
URL: CVE-2026-39363
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: Apr 07, 2026 07:10 PM
Fix Resolution : vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5
🔴CVE-2026-39364
Vulnerable Library - vite-7.1.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.1.11.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Publish Date: Apr 07, 2026 07:12 PM
URL: CVE-2026-39364
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-v2wj-q39q-566r
Release Date: Apr 07, 2026 07:12 PM
Fix Resolution : https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v8.0.5
🔴CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-68470
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Publish Date: Jan 10, 2026 02:39 AM
URL: CVE-2025-68470
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jcx-v3wj-wh4m
Release Date: Jan 08, 2026 10:04 PM
Fix Resolution : https://github.com/remix-run/react-router.git - create-react-router@6.30.2,https://github.com/remix-run/react-router.git - create-react-router@7.9.6,react-router - 7.9.6,react-router - 6.30.2
🟠CVE-2026-1525
Vulnerable Library - undici-6.21.2.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
Potential consequences:
Publish Date: Mar 12, 2026 07:56 PM
URL: CVE-2026-1525
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-22030
Vulnerable Library - react-router-7.5.3.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Publish Date: Jan 10, 2026 02:42 AM
URL: CVE-2026-22030
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13