Vulnerable Library - react-scripts-5.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/plugin-transform-modules-systemjs/package.json
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-41907
Vulnerable Library - uuid-8.3.2.tgz
RFC4122 (v1, v4, and v5) UUIDs
Library home page: https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uuid/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.0.tgz
- sockjs-0.3.24.tgz
- ❌ uuid-8.3.2.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Publish Date: 2026-04-24
URL: CVE-2026-41907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-w5hq-g745-h8pq
Release Date: 2026-04-24
Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-33228
Vulnerable Library - flatted-3.2.5.tgz
A super light and fast circular JSON parser.
Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flatted/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- eslint-8.16.0.tgz
- file-entry-cache-6.0.1.tgz
- flat-cache-3.0.4.tgz
- ❌ flatted-3.2.5.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "proto" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-03-20
URL: CVE-2026-33228
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-20
Fix Resolution: https://github.com/WebReflection/flatted.git - v3.4.2
Step up your Open Source Security Game with Mend here
CVE-2023-28154
Vulnerable Library - webpack-5.72.1.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.72.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- ❌ webpack-5.72.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: 2023-03-13
URL: CVE-2023-28154
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-03-13
Fix Resolution: webpack - 5.76.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-2.0.2.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- file-loader-6.2.0.tgz
- ❌ loader-utils-2.0.2.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution: loader-utils - 1.4.1,2.0.3
Step up your Open Source Security Game with Mend here
CVE-2023-45133
Vulnerable Library - traverse-7.18.2.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- core-7.18.2.tgz
- ❌ traverse-7.18.2.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Babel is a compiler for writingJavaScript. In "@babel/traverse" prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of "babel-traverse", using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the "path.evaluate()"or "path.evaluateTruthy()" internal Babel methods. Known affected plugins are "@babel/plugin-transform-runtime"; "@babel/preset-env" when using its "useBuiltIns" option; and any "polyfill provider" plugin that depends on "@babel/helper-define-polyfill-provider", such as "babel-plugin-polyfill-corejs3", "babel-plugin-polyfill-corejs2", "babel-plugin-polyfill-es-shims", "babel-plugin-polyfill-regenerator". No other plugins under the "@babel/" namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in "@babel/traverse@7.23.2" and "@babel/traverse@8.0.0-alpha.4". Those who cannot upgrade "@babel/traverse" and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected "@babel/traverse" versions: "@babel/plugin-transform-runtime" v7.23.2, "@babel/preset-env" v7.23.2, "@babel/helper-define-polyfill-provider" v0.4.3, "babel-plugin-polyfill-corejs2" v0.4.6, "babel-plugin-polyfill-corejs3" v0.8.5, "babel-plugin-polyfill-es-shims" v0.10.0, "babel-plugin-polyfill-regenerator" v0.5.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution: @babel/traverse - 7.23.2,@babel/traverse - 7.23.2
Step up your Open Source Security Game with Mend here
CVE-2026-27606
Vulnerable Library - rollup-2.75.3.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-2.75.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/rollup/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- workbox-webpack-plugin-6.5.3.tgz
- workbox-build-6.5.3.tgz
- ❌ rollup-2.75.3.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27606
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0
Step up your Open Source Security Game with Mend here
CVE-2025-7783
Vulnerable Library - form-data-3.0.1.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/form-data/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- jest-27.5.1.tgz
- jest-cli-27.5.1.tgz
- jest-config-27.5.1.tgz
- jest-environment-jsdom-27.5.1.tgz
- jsdom-16.7.0.tgz
- ❌ form-data-3.0.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution: form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4,form-data - 2.5.4
Step up your Open Source Security Game with Mend here
CVE-2025-12816
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.0.tgz
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution: node-forge - 1.3.2,https://github.com/digitalbazaar/forge.git - v1.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-44728
Vulnerable Library - plugin-transform-modules-systemjs-7.18.4.tgz
This plugin transforms ES2015 modules to SystemJS
Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.18.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/plugin-transform-modules-systemjs/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-5.5.0.tgz
- preset-env-7.18.2.tgz
- ❌ plugin-transform-modules-systemjs-7.18.4.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - "@babel/plugin-transform-modules-systemjs" - "@babel/preset-env" when using the ""modules: "systemjs"" option" (https://babel.dev/docs/babel-preset-env#modules), as it delegates to "@babel/plugin-transform-modules-systemjs" No other plugins under the "@babel" namespace are impacted. Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/plugin-transform-modules-systemjs@7.29.4". Babel also released "@babel/preset-env@7.29.5", updating its "@babel/plugin-transform-modules-systemjs" dependency, to simplify forcing the update if you are using "@babel/preset-env" directly. Workarounds - Pin "@babel/parser" to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade "@babel/plugin-transform-modules-systemjs" to v7.29.4. - Do not use the "modules: "systemjs"" option, migrate the codebase to native ES Modules or any other module formats. Credits Babel thanks Daniel Cervera for reporting the vulnerability.
Publish Date: 2026-05-10
URL: CVE-2026-44728
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fv7c-fp4j-7gwp
Release Date: 2026-05-09
Fix Resolution: @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4
Step up your Open Source Security Game with Mend here
CVE-2026-4867
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-to-regexp/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.0.tgz
- express-4.18.1.tgz
- ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Publish Date: 2026-03-26
URL: CVE-2026-4867
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-37ch-88jc-xwx2
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 0.1.13
Step up your Open Source Security Game with Mend here
CVE-2026-33895
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.0.tgz
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33894
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.0.tgz
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33891
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- webpack-dev-server-4.9.0.tgz
- selfsigned-2.0.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-33671
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/picomatch/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- jest-resolve-27.5.1.tgz
- jest-util-27.5.1.tgz
- ❌ picomatch-2.3.1.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
CVE-2026-32141
Vulnerable Library - flatted-3.2.5.tgz
A super light and fast circular JSON parser.
Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flatted/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- eslint-8.16.0.tgz
- file-entry-cache-6.0.1.tgz
- flat-cache-3.0.4.tgz
- ❌ flatted-3.2.5.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Publish Date: 2026-03-12
URL: CVE-2026-32141
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-12
Fix Resolution: https://github.com/WebReflection/flatted.git - v3.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-29074
Vulnerable Library - svgo-2.8.0.tgz
Nodejs-based tool for optimizing SVG vector graphics files
Library home page: https://registry.npmjs.org/svgo/-/svgo-2.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-svgo/node_modules/svgo/package.json
Dependency Hierarchy:
- react-scripts-5.0.1.tgz (Root Library)
- css-minimizer-webpack-plugin-3.4.1.tgz
- cssnano-5.1.10.tgz
- cssnano-preset-default-5.2.10.tgz
- postcss-svgo-5.1.0.tgz
- ❌ svgo-2.8.0.tgz (Vulnerable Library)
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Publish Date: 2026-03-06
URL: CVE-2026-29074
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xpqw-6gx7-v673
Release Date: 2026-03-05
Fix Resolution: svgo - 3.3.3,svgo - 4.0.1,svgo - 2.8.1
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/plugin-transform-modules-systemjs/package.json
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - uuid-8.3.2.tgz
RFC4122 (v1, v4, and v5) UUIDs
Library home page: https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uuid/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Publish Date: 2026-04-24
URL: CVE-2026-41907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-w5hq-g745-h8pq
Release Date: 2026-04-24
Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - flatted-3.2.5.tgz
A super light and fast circular JSON parser.
Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flatted/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "proto" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-03-20
URL: CVE-2026-33228
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-20
Fix Resolution: https://github.com/WebReflection/flatted.git - v3.4.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - webpack-5.72.1.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.72.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: 2023-03-13
URL: CVE-2023-28154
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-03-13
Fix Resolution: webpack - 5.76.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - loader-utils-2.0.2.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution: loader-utils - 1.4.1,2.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - traverse-7.18.2.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Babel is a compiler for writingJavaScript. In "@babel/traverse" prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of "babel-traverse", using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the "path.evaluate()"or "path.evaluateTruthy()" internal Babel methods. Known affected plugins are "@babel/plugin-transform-runtime"; "@babel/preset-env" when using its "useBuiltIns" option; and any "polyfill provider" plugin that depends on "@babel/helper-define-polyfill-provider", such as "babel-plugin-polyfill-corejs3", "babel-plugin-polyfill-corejs2", "babel-plugin-polyfill-es-shims", "babel-plugin-polyfill-regenerator". No other plugins under the "@babel/" namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in "@babel/traverse@7.23.2" and "@babel/traverse@8.0.0-alpha.4". Those who cannot upgrade "@babel/traverse" and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected "@babel/traverse" versions: "@babel/plugin-transform-runtime" v7.23.2, "@babel/preset-env" v7.23.2, "@babel/helper-define-polyfill-provider" v0.4.3, "babel-plugin-polyfill-corejs2" v0.4.6, "babel-plugin-polyfill-corejs3" v0.8.5, "babel-plugin-polyfill-es-shims" v0.10.0, "babel-plugin-polyfill-regenerator" v0.5.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution: @babel/traverse - 7.23.2,@babel/traverse - 7.23.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - rollup-2.75.3.tgz
Next-generation ES module bundler
Library home page: https://registry.npmjs.org/rollup/-/rollup-2.75.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/rollup/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences ("../") to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27606
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/rollup/rollup.git - v2.80.0,https://github.com/rollup/rollup.git - v3.30.0,https://github.com/rollup/rollup.git - v4.59.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - form-data-3.0.1.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/form-data/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution: form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4,form-data - 2.5.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution: node-forge - 1.3.2,https://github.com/digitalbazaar/forge.git - v1.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - plugin-transform-modules-systemjs-7.18.4.tgz
This plugin transforms ES2015 modules to SystemJS
Library home page: https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.18.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/plugin-transform-modules-systemjs/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - "@babel/plugin-transform-modules-systemjs" - "@babel/preset-env" when using the ""modules: "systemjs"" option" (https://babel.dev/docs/babel-preset-env#modules), as it delegates to "@babel/plugin-transform-modules-systemjs" No other plugins under the "@babel" namespace are impacted. Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/plugin-transform-modules-systemjs@7.29.4". Babel also released "@babel/preset-env@7.29.5", updating its "@babel/plugin-transform-modules-systemjs" dependency, to simplify forcing the update if you are using "@babel/preset-env" directly. Workarounds - Pin "@babel/parser" to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade "@babel/plugin-transform-modules-systemjs" to v7.29.4. - Do not use the "modules: "systemjs"" option, migrate the codebase to native ES Modules or any other module formats. Credits Babel thanks Daniel Cervera for reporting the vulnerability.
Publish Date: 2026-05-10
URL: CVE-2026-44728
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fv7c-fp4j-7gwp
Release Date: 2026-05-09
Fix Resolution: @babel/plugin-transform-modules-systemjs - 8.0.0-alpha.13,@babel/plugin-transform-modules-systemjs - 7.29.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-to-regexp/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Publish Date: 2026-03-26
URL: CVE-2026-4867
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-37ch-88jc-xwx2
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 0.1.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order ("S >= L"). A valid signature and its "S + L" variant both verify in forge, while Node.js "crypto.verify" (OpenSSL-backed) rejects the "S + L" variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33895
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33894
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-ppp5-5v6c-4jwp
Release Date: 2026-03-26
Fix Resolution: node-forge - 1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Publish Date: 2026-03-27
URL: CVE-2026-33891
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-27
Fix Resolution: https://github.com/digitalbazaar/forge.git - v1.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - picomatch-2.3.1.tgz
Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.
Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/picomatch/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.
Publish Date: 2026-03-26
URL: CVE-2026-33671
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - flatted-3.2.5.tgz
A super light and fast circular JSON parser.
Library home page: https://registry.npmjs.org/flatted/-/flatted-3.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flatted/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Publish Date: 2026-03-12
URL: CVE-2026-32141
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-12
Fix Resolution: https://github.com/WebReflection/flatted.git - v3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - svgo-2.8.0.tgz
Nodejs-based tool for optimizing SVG vector graphics files
Library home page: https://registry.npmjs.org/svgo/-/svgo-2.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-svgo/node_modules/svgo/package.json
Dependency Hierarchy:
Found in HEAD commit: dfccd1bdca80effeb9228c14844d8f58a9531f3e
Found in base branch: master
Vulnerability Details
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Publish Date: 2026-03-06
URL: CVE-2026-29074
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xpqw-6gx7-v673
Release Date: 2026-03-05
Fix Resolution: svgo - 3.3.3,svgo - 4.0.1,svgo - 2.8.1
Step up your Open Source Security Game with Mend here