EJS — CVE history (npm)
EJS
5 CVEs affect the EJS npm package (highest CVSS 9.8). Latest disclosed: 2023-05-04. Full CVE history sourced from NVD.
Summary
- Package
EJS(npm)- Total CVEs
5- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2023-05-04
Recent CVEs (top 5)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-29827 | Critical | 9.8 | — | 2023-05-04 | ejs v3.1.9 is vulnerable to server-side template injection. |
CVE-2022-29078 | Critical | 9.8 | — | 2022-04-25 | The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. |
CVE-2017-1000228 | Critical | 9.8 | — | 2017-11-17 | nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function |
CVE-2017-1000189 | High | 7.5 | — | 2017-11-17 | nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile() |
CVE-2017-1000188 | Medium | 6.1 | — | 2017-11-17 | nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection |
All-time worst (top 5 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-29827 | Critical | 9.8 | — | 2023-05-04 | ejs v3.1.9 is vulnerable to server-side template injection. |
CVE-2022-29078 | Critical | 9.8 | — | 2022-04-25 | The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. |
CVE-2017-1000228 | Critical | 9.8 | — | 2017-11-17 | nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function |
CVE-2017-1000189 | High | 7.5 | — | 2017-11-17 | nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile() |
CVE-2017-1000188 | Medium | 6.1 | — | 2017-11-17 | nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection |