Shopify: Attacker is able to query Github repositories of arbitrary Shopify Hydrogen Users

Private GitHub repositories of arbitrary Shopify Hydrogen users were accessible to attackers due to a vulnerability in the Hydrogen app. Attackers could query the GitHub account of any Hydrogen user and obtain sensitive information such as private repositories...

Cross-site Scripting (XSS)

@shopify/hydrogen is vulnerable to cross-site scripting. An attacker can inject and execute malicious javascript through the renderHydrogen function of entry-server.js when the application is built with hydrogen...