artery-routes-docs (>=0.0.2 <=0.0.25), arteryjs (=0.0.0) +5 more potentially affected by unknown CVE via to-slug (=0.0.0)

to-slug NPM version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on to-slug and may be impacted: - artery-routes-docs =0.0.2, =0.2.0, =0.0.0, =1.0.1 Source cves: unknown CVE Source advisory: OSV:MAL-2025-37002...

CVE-2025-8975

CVE-2025-8975 affects givanz Vvveb up to 1.0.5, where the slug parameter is mishandled in the file admin/template/content/edit.tpl, enabling cross-site scripting. The issue can be exploited remotely and the exploit has been disclosed publicly. A fix is available in version 1.0.6; patch hash: 84c1...

CVE-2024-9000 Improper Authorization and Duplicate Slug Vulnerability in lunary-ai/lunary

In lunary-ai/lunary before version 1.4.26, the checklists.post endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks...

Relative Path Traversal

github.com/hashicorp/go-slug is vulnerable to Relative Path Traversal. The vulnerability is due to improper path validation when extracting user-provided paths from tar entries, allowing for directory traversal and potential overwriting of arbitrary files...

GHSA-WPFP-CM49-9M9Q HashiCorp go-slug Vulnerable to Zip Slip Attack

Summary HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3. Background HashiCorp’s go-slug shared library offers functions for...