Lucene search

K
osvGoogleOSV:GHSA-3965-HPX2-Q597
HistoryMay 24, 2024 - 2:45 p.m.

Pug allows JavaScript code execution if an application accepts untrusted input

2024-05-2414:45:02
Google
osv.dev
5
pug
javascript
code execution
untrusted input
compileclient
compilefileclient
compileclientwithdependenciestracked
templates

7.3 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

CPENameOperatorVersion
pug-code-genlt3.0.3
puglt3.0.3

7.3 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

Related for OSV:GHSA-3965-HPX2-Q597