EPSS
Percentile
92.4%
scratch-vm is vulnerable to remote code execution(RCE). It does not escape extension URL values in the function getExtensionIdForOpcode in serialization/sb3.js, allowing an attacker to inject _ characters and execute it as a worker.
getExtensionIdForOpcode
serialization/sb3.js
_
github.com/LLK/scratch-vm/commit/90b9da45f4084958535338d1c4d71a22d6136aab
github.com/LLK/scratch-vm/pull/2476
scratch.mit.edu/discuss/topic/422904/?page=1#post-4223443