EJS — CVE history (npm)

EJS

5 CVEs affect the EJS npm package (highest CVSS 9.8). Latest disclosed: 2023-05-04. Full CVE history sourced from NVD.

Summary

Package
EJS (npm)
Total CVEs
5
Actively exploited (CISA KEV)
0
Highest CVSS
9.8
Latest disclosed
2023-05-04

Recent CVEs (top 5)

CVESeverityCVSSKEVPublishedSummary
CVE-2023-29827Critical9.82023-05-04ejs v3.1.9 is vulnerable to server-side template injection.
CVE-2022-29078Critical9.82022-04-25The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName].
CVE-2017-1000228Critical9.82017-11-17nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
CVE-2017-1000189High7.52017-11-17nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
CVE-2017-1000188Medium6.12017-11-17nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection

All-time worst (top 5 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2023-29827Critical9.82023-05-04ejs v3.1.9 is vulnerable to server-side template injection.
CVE-2022-29078Critical9.82022-04-25The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName].
CVE-2017-1000228Critical9.82017-11-17nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
CVE-2017-1000189High7.52017-11-17nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
CVE-2017-1000188Medium6.12017-11-17nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection