generator-hottowel is vulnerable to Reflected Cross-site Scripting (XSS) attacks. The library does not properly handle invalid calls to assets as it uses a custom 404 response object, allowing an attacker to inject and execute JavaScript through the app.use
function in app/templates/src/server/_app.js
.