Lucene search
K
Webpack.jsWebpack

4 matches found

CVE
CVE
added 2024/08/27 5:7 p.m.356 views

CVE-2024-43788

CVE-2024-43788: Webpack’s AutoPublicPathRuntimeModule DOM clobbering enables XSS via scriptless HTML (e.g., unsanitized name/id attributes). Real-world exploitation observed in Canvas LMS. Fix is in Webpack release 5.94.0; upgrade recommended (no public workarounds documented).

6.4CVSS6AI score0.00904EPSS
CVE
CVE
added 2023/03/13 12:0 a.m.274 views

CVE-2023-28154

CVE-2023-28154 affects Webpack 5 before 5.76.0. ImportParserPlugin.js mishandles the magic comment feature, allowing an attacker who controls a property of an untrusted object to obtain access to the real global object (cross-realm object access). CVSS v3.1 base score 9.8 (CRITICAL). Remediation:...

9.8CVSS9.1AI score0.01421EPSS
CVE
CVE
added 2026/02/05 11:8 p.m.123 views

CVE-2025-68157

Webpack vulnerability CVE-2025-68157 affects the HttpUriPlugin when experiments.buildHttp is enabled. From 5.49.0 through versions before 5.104.0, allowedUris are validated only for the initial URL; redirects (HTTP 30x) are not re-validated, allowing an import restricted to a trusted allow-list t...

3.7CVSS5.4AI score0.002EPSS
CVE
CVE
added 2026/02/05 11:8 p.m.37 views

CVE-2025-68458

Webpack CVE-2025-68458 affects Webpack’s HTTP(S) resolver (HttpUriPlugin) when experiments.buildHttp is enabled. A crafted URL containing userinfo (username:password@host) can bypass allowedUris checks and cause the build process to request resources from internal or non-whitelisted hosts, enabli...

3.7CVSS5.4AI score0.002EPSS