Node.js Embedded JavaScript 3.1.6 - Template Injection

Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settingsview optionsoutputFunctionName, which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation. id:...

Embedded JavaScript(EJS) 3.1.6 - Template Injection

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. id: CVE-2023-29827 info: name: Embedded JavaScriptEJS 3.1.6 - Template Injection author:...

CVE-2026-47376

CVE-2026-47376 (NocoDB) describes a reflected XSS on the password-reset flow. Before 2026.04.1, the token from the password-reset URL was directly embedded into a JavaScript string in a server-rendered EJS template, which does not escape single quotes or backslashes. This allowed an attacker-cont...

Astra Linux – Vulnerability in Node-EJS

The ejs also known as Embedded JavaScript templates package in Node.js before version 3.1.10 lacked certain measures to prevent pollution...

NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

Exploit for Code Injection in Ejs

No d...

CVE-2026-39980

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform...

Security Bulletin: Multiple open source vulnerabilities affect IBM Db2 Big SQL on Cloud Pak for Data

Summary Multiple open source vulnerabilities affect IBM Db2 Big SQL 7 on Cloud Pak for Data 5 Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header...

EUVD-2018-0173

Malware in sbrugna...

EUVD-2017-0340

Malware in sbrugna...

EUVD-2017-0347

Malware in sbrugna...

Exploit for CVE-2025-27210

This is a PoC exploit for CVE-2025-27210, a vulnerability in a N...

Linux Distros Unpatched Vulnerability : CVE-2023-29827

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration...

Malicious code in ejs-client (npm)

The package ejs-client was found to contain malicious code...

MAL-2025-19278 Malicious code in ejs-client (npm)

The package ejs-client was found to contain malicious code...

CVE-2025-46120

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a...

CVE-2025-46120

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a...

CVE-2025-46120

The CVE-2025-46120 entry affects CommScope Ruckus Unleashed (before 200.15.6.212.27 and 200.18.7.1.323) and Ruckus ZoneDirector (before 10.5.1.0.282). A path-traversal flaw in the web interface allows an attacker who can upload a template (e.g., via FTP) to have the server execute attacker-suppli...

CVE-2025-46120

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a...