23 matches found
Arbitrary Code Injection
md-to-pdf is vulnerable to Arbitrary Code Injection. The vulnerability is due to a Markdown front-matter block that contains JavaScript delimiter, where the JS engine in gray-matter library executes arbitrary code in the Markdown to PDF converter process of md-to-pdf library, and attackers can...
GHSA-529F-9QWM-9628 tinacms is vulnerable to arbitrary code execution
Summary tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. Details The gray-matter package executes by default the code in the markdown file's front matter. tinacms...
tinacms is vulnerable to arbitrary code execution
Summary tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. Details The gray-matter package executes by default the code in the markdown file's front matter. tinacms...
Arbitrary Code Injection
Overview tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Arbitrary Code Injection via the improper use of gray-matter package. An attacker can execute arbitrary code on the server by submitti...
cyber
Cyber A website and repository for everything related to my s...
cyber
Cyber A website and repository for everything related to my s...
CVE-2025-65108
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...
CVE-2025-65108
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...
EUVD-2025-198317
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...
CVE-2025-65108
CVE-2025-65108 affects the md-to-pdf CLI (Markdown to PDF) where parsing front matter with a JavaScript delimiter can trigger the gray-matter JS engine to execute arbitrary code during the conversion process, enabling remote code execution. This vulnerability exists in versions prior to 5.2.5 and...
CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...
CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...
CVE-2025-65108 md-to-pdf is vulnerable to arbitrary JavaScript code execution when parsing front matter
md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process o...
Arbitrary Code Injection
Overview md-to-pdf is a CLI tool for converting Markdown files to PDF. Affected versions of this package are vulnerable to Arbitrary Code Injection via the gray-matter library when parsing front matter containing JavaScript delimiters. An attacker can execute arbitrary code in the Markdown-to-PDF...
GHSA-547R-QMJM-8HVW md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. Details md-to-pdf uses the gray-matter library to parse...
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. Details md-to-pdf uses the gray-matter library to parse...
PT-2025-47654
Name of the Vulnerable Software and Affected Versions md-to-pdf versions prior to 5.2.5 Description md-to-pdf is a command-line interface CLI tool used for converting Markdown files to PDF format, utilizing Node.js and a headless Chrome browser. A flaw exists in the way the tool handles Markdown...
GHSA-R6VW-8V8R-PMP4 Server Side Template Injection (SSTI)
Summary Due to the unrestricted access to twig extension class from grav context, an attacker can redefine config variable. As a result, attacker can bypass previous patch. Details The twig context has a function declared called getFunction. php public function getFunction$name if...
PT-2024-22274 · Grav · Grav
Name of the Vulnerable Software and Affected Versions: Grav versions prior to 1.7.45 Description: The issue arises from unrestricted access to the twig extension class from the grav context, allowing an attacker to redefine the escape function and execute arbitrary commands. This can be achieved ...
PT-2024-22272 · Grav · Grav
Name of the Vulnerable Software and Affected Versions: Grav versions prior to 1.7.45 Description: Grav is an open-source, flat-file content management system. The issue arises because Grav validates accessible functions through the Utils::isDangerousFunction function but does not impose...