Skip to main content

DEFRA / forms team

Security

Open Dependabot vulnerability alerts across team repositories.

Last updated 41 minutes ago. Next update in 0 minutes.

362 open vulnerability alerts across team repositories.

Critical 12 alerts

Package Repo Severity Advisory ID Fixed in
@wdio/browserstack-service forms-acceptance-tests Critical WebdriverIO BrowserStack Service has a Command Injection issue GHSA-5c46-x3qw-q7j7 / CVE-2026-25244 9.24.0
basic-ftp forms-acceptance-tests Critical Basic FTP has Path Traversal Vulnerability in its downloadToDir() method GHSA-5rq4-664w-9x2c / CVE-2026-27699 5.2.0
fast-xml-parser forms-acceptance-tests Critical fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names GHSA-m7jm-9gc2-mpf2 / CVE-2026-25896 5.3.5
basic-ftp forms-adaptor-template Critical Basic FTP has Path Traversal Vulnerability in its downloadToDir() method GHSA-5rq4-664w-9x2c / CVE-2026-27699 5.2.0
convict forms-adaptor-template Critical Convict has Prototype Pollution via startsWith() function GHSA-44fc-8fm5-q62h / CVE-2026-33864 6.2.5
convict forms-adaptor-template Critical Convict has prototype pollution via load(), loadFile(), and schema initialization GHSA-hf2r-9gf9-rwch / CVE-2026-33863 6.2.5
fast-xml-parser forms-adaptor-template Critical fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names GHSA-m7jm-9gc2-mpf2 / CVE-2026-25896 5.3.5
basic-ftp forms-e2e-smoke-test Critical Basic FTP has Path Traversal Vulnerability in its downloadToDir() method GHSA-5rq4-664w-9x2c / CVE-2026-27699 5.2.0
basic-ftp forms-newls-cwt-listener Critical Basic FTP has Path Traversal Vulnerability in its downloadToDir() method GHSA-5rq4-664w-9x2c / CVE-2026-27699 5.2.0
convict forms-newls-cwt-listener Critical Convict has Prototype Pollution via startsWith() function GHSA-44fc-8fm5-q62h / CVE-2026-33864 6.2.5
convict forms-newls-cwt-listener Critical Convict has prototype pollution via load(), loadFile(), and schema initialization GHSA-hf2r-9gf9-rwch / CVE-2026-33863 6.2.5
fast-xml-parser forms-newls-cwt-listener Critical fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names GHSA-m7jm-9gc2-mpf2 / CVE-2026-25896 5.3.5

High 172 alerts

Package Repo Severity Advisory ID Fixed in
axios forms-acceptance-tests High Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking GHSA-pf86-5x62-jrwf / CVE-2026-42033 1.15.1
axios forms-acceptance-tests High Axios: Header Injection via Prototype Pollution GHSA-6chq-wfr3-2hj9 / CVE-2026-42035 1.15.1
axios forms-acceptance-tests High Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 GHSA-pmwg-cvhr-8vh7 / CVE-2026-42043 1.15.1
axios forms-acceptance-tests High Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking GHSA-q8qp-cvcw-x6jj / CVE-2026-42264 1.15.2
axios forms-acceptance-tests High Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig GHSA-43fc-jf86-j433 / CVE-2026-25639 1.13.5
axios forms-acceptance-tests High Axios is vulnerable to DoS attack through lack of data size check GHSA-4hjh-wcwx-xvwj / CVE-2025-58754 1.12.0
basic-ftp forms-acceptance-tests High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-acceptance-tests High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-acceptance-tests High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
fast-xml-parser forms-acceptance-tests High fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) GHSA-8gc5-j5rx-235r / CVE-2026-33036 5.5.6
fast-xml-parser forms-acceptance-tests High fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) GHSA-jmr7-xgp7-cmfj / CVE-2026-26278 5.3.6
fast-xml-parser forms-acceptance-tests High fast-xml-parser has RangeError DoS Numeric Entities Bug GHSA-37qj-frw5-hhjh / CVE-2026-25128 5.3.4
flatted forms-acceptance-tests High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
glob forms-acceptance-tests High glob CLI: Command injection via -c/--cmd executes matches with shell:true GHSA-5j98-mcp5-4vw2 / CVE-2025-64756 10.5.0
lodash forms-acceptance-tests High lodash vulnerable to Code Injection via `_.template` imports key names GHSA-r5fr-rjxr-66jc / CVE-2026-4800 4.18.0
minimatch forms-acceptance-tests High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 3.1.3
minimatch forms-acceptance-tests High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 5.1.8
minimatch forms-acceptance-tests High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 9.0.7
minimatch forms-acceptance-tests High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 3.1.4
minimatch forms-acceptance-tests High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 5.1.8
minimatch forms-acceptance-tests High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 9.0.7
minimatch forms-acceptance-tests High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 3.1.3
minimatch forms-acceptance-tests High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 5.1.7
minimatch forms-acceptance-tests High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 9.0.6
picomatch forms-acceptance-tests High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 2.3.2
picomatch forms-acceptance-tests High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 4.0.4
playwright forms-acceptance-tests High Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate GHSA-7mvr-c777-76hp / CVE-2025-59288 1.55.1
serialize-javascript forms-acceptance-tests High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
tar-fs forms-acceptance-tests High tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball GHSA-vj76-c3g6-qr5v / CVE-2025-59343 3.1.1
undici forms-acceptance-tests High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 7.24.0
undici forms-acceptance-tests High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 6.24.0
undici forms-acceptance-tests High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 7.24.0
undici forms-acceptance-tests High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 6.24.0
undici forms-acceptance-tests High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 7.24.0
undici forms-acceptance-tests High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 6.24.0
@babel/plugin-transform-modules-systemjs forms-adaptor-template High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
basic-ftp forms-adaptor-template High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-adaptor-template High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-adaptor-template High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
fast-uri forms-adaptor-template High fast-uri vulnerable to host confusion via percent-encoded authority delimiters GHSA-v39h-62p7-jpjc / CVE-2026-6322 3.1.2
fast-uri forms-adaptor-template High fast-uri vulnerable to path traversal via percent-encoded dot segments GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 3.1.1
fast-xml-parser forms-adaptor-template High fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) GHSA-8gc5-j5rx-235r / CVE-2026-33036 5.5.6
fast-xml-parser forms-adaptor-template High fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) GHSA-jmr7-xgp7-cmfj / CVE-2026-26278 5.3.6
fast-xml-parser forms-adaptor-template High fast-xml-parser has RangeError DoS Numeric Entities Bug GHSA-37qj-frw5-hhjh / CVE-2026-25128 5.3.4
flatted forms-adaptor-template High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
glob forms-adaptor-template High glob CLI: Command injection via -c/--cmd executes matches with shell:true GHSA-5j98-mcp5-4vw2 / CVE-2025-64756 10.5.0
liquidjs forms-adaptor-template High liquidjs has a Denial of Service via circular block reference in layout GHSA-4rc3-7j7w-m548 / CVE-2026-41311 10.25.7
lodash forms-adaptor-template High lodash vulnerable to Code Injection via `_.template` imports key names GHSA-r5fr-rjxr-66jc / CVE-2026-4800 4.18.0
minimatch forms-adaptor-template High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 3.1.3
minimatch forms-adaptor-template High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 9.0.7
minimatch forms-adaptor-template High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 10.2.3
picomatch forms-adaptor-template High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 2.3.2
rollup forms-adaptor-template High Rollup 4 has Arbitrary File Write via Path Traversal GHSA-mw96-cpmx-2vgc / CVE-2026-27606 4.59.0
serialize-javascript forms-adaptor-template High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
undici forms-adaptor-template High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 7.24.0
undici forms-adaptor-template High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 7.24.0
undici forms-adaptor-template High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 7.24.0
validator forms-adaptor-template High Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements GHSA-vghf-hv5q-vc2g / CVE-2025-12758 13.15.22
vite forms-adaptor-template High Vite: `server.fs.deny` bypassed with queries GHSA-v2wj-q39q-566r / CVE-2026-39364 7.3.2
vite forms-adaptor-template High Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket GHSA-p9ff-h696-f583 / CVE-2026-39363 7.3.2
@babel/plugin-transform-modules-systemjs forms-audit-api High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
basic-ftp forms-audit-api High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
serialize-javascript forms-designer High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
@babel/plugin-transform-modules-systemjs forms-e2e-smoke-test High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
basic-ftp forms-e2e-smoke-test High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-e2e-smoke-test High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-e2e-smoke-test High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
braces forms-e2e-smoke-test High Uncontrolled resource consumption in braces GHSA-grv7-fg5c-xmjg / CVE-2024-4068 3.0.3
flatted forms-e2e-smoke-test High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
glob forms-e2e-smoke-test High glob CLI: Command injection via -c/--cmd executes matches with shell:true GHSA-5j98-mcp5-4vw2 / CVE-2025-64756 10.5.0
lodash forms-e2e-smoke-test High lodash vulnerable to Code Injection via `_.template` imports key names GHSA-r5fr-rjxr-66jc / CVE-2026-4800 4.18.0
minimatch forms-e2e-smoke-test High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 3.1.3
minimatch forms-e2e-smoke-test High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 3.1.4
minimatch forms-e2e-smoke-test High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 5.1.8
minimatch forms-e2e-smoke-test High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 5.1.8
minimatch forms-e2e-smoke-test High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 9.0.7
minimatch forms-e2e-smoke-test High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 9.0.7
minimatch forms-e2e-smoke-test High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 3.1.3
minimatch forms-e2e-smoke-test High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 5.1.7
minimatch forms-e2e-smoke-test High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 9.0.6
picomatch forms-e2e-smoke-test High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 2.3.2
serialize-javascript forms-e2e-smoke-test High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
tar-fs forms-e2e-smoke-test High tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball GHSA-vj76-c3g6-qr5v / CVE-2025-59343 3.1.1
tar-fs forms-e2e-smoke-test High tar-fs can extract outside the specified dir with a specific tarball GHSA-8cj5-5rvv-wf4v / CVE-2025-48387 3.0.9
tar-fs forms-e2e-smoke-test High tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File GHSA-pq67-2wwv-3xjx / CVE-2024-12905 3.0.7
ws forms-e2e-smoke-test High ws affected by a DoS when handling a request with many HTTP headers GHSA-3h5v-q93c-6h6q / CVE-2024-37890 8.17.1
@babel/plugin-transform-modules-systemjs forms-engine-plugin-example-ui High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
@hapi/content forms-engine-plugin-example-ui High @hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing GHSA-jg4p-7fhp-p32p / CVE-2026-35213 6.0.1
basic-ftp forms-engine-plugin-example-ui High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-engine-plugin-example-ui High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-engine-plugin-example-ui High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
basic-ftp forms-engine-plugin-example-ui High basic-ftp has FTP Command Injection via CRLF GHSA-chqc-8p9q-pq6q / CVE-2026-39983 5.2.1
fast-uri forms-engine-plugin-example-ui High fast-uri vulnerable to host confusion via percent-encoded authority delimiters GHSA-v39h-62p7-jpjc / CVE-2026-6322 3.1.2
fast-uri forms-engine-plugin-example-ui High fast-uri vulnerable to path traversal via percent-encoded dot segments GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 3.1.1
flatted forms-engine-plugin-example-ui High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
liquidjs forms-engine-plugin-example-ui High liquidjs has a Denial of Service via circular block reference in layout GHSA-4rc3-7j7w-m548 / CVE-2026-41311 10.25.7
liquidjs forms-engine-plugin-example-ui High LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates GHSA-56p5-8mhr-2fph / CVE-2026-35525 10.25.3
lodash forms-engine-plugin-example-ui High lodash vulnerable to Code Injection via `_.template` imports key names GHSA-r5fr-rjxr-66jc / CVE-2026-4800 4.18.0
picomatch forms-engine-plugin-example-ui High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 2.3.2
@babel/plugin-transform-modules-systemjs forms-entitlement-api High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
fast-xml-builder forms-entitlement-api High fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes GHSA-5wm8-gmm8-39j9 / CVE-2026-44665 1.1.7
undici forms-entitlement-api High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 7.24.0
undici forms-entitlement-api High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 7.24.0
undici forms-entitlement-api High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 7.24.0
@babel/plugin-transform-modules-systemjs forms-manager High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
basic-ftp forms-manager High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
fast-xml-builder forms-manager High fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes GHSA-5wm8-gmm8-39j9 / CVE-2026-44665 1.1.7
@babel/plugin-transform-modules-systemjs forms-newls-cwt-listener High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
@hapi/content forms-newls-cwt-listener High @hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing GHSA-jg4p-7fhp-p32p / CVE-2026-35213 6.0.1
basic-ftp forms-newls-cwt-listener High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-newls-cwt-listener High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-newls-cwt-listener High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
fast-uri forms-newls-cwt-listener High fast-uri vulnerable to host confusion via percent-encoded authority delimiters GHSA-v39h-62p7-jpjc / CVE-2026-6322 3.1.2
fast-uri forms-newls-cwt-listener High fast-uri vulnerable to path traversal via percent-encoded dot segments GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 3.1.1
fast-xml-parser forms-newls-cwt-listener High fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) GHSA-8gc5-j5rx-235r / CVE-2026-33036 5.5.6
fast-xml-parser forms-newls-cwt-listener High fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) GHSA-jmr7-xgp7-cmfj / CVE-2026-26278 5.3.6
fast-xml-parser forms-newls-cwt-listener High fast-xml-parser has RangeError DoS Numeric Entities Bug GHSA-37qj-frw5-hhjh / CVE-2026-25128 5.3.4
flatted forms-newls-cwt-listener High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
glob forms-newls-cwt-listener High glob CLI: Command injection via -c/--cmd executes matches with shell:true GHSA-5j98-mcp5-4vw2 / CVE-2025-64756 10.5.0
liquidjs forms-newls-cwt-listener High liquidjs has a Denial of Service via circular block reference in layout GHSA-4rc3-7j7w-m548 / CVE-2026-41311 10.25.7
liquidjs forms-newls-cwt-listener High LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates GHSA-56p5-8mhr-2fph / CVE-2026-35525 10.25.3
liquidjs forms-newls-cwt-listener High LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern GHSA-6q5m-63h6-5x4v / CVE-2026-33287
liquidjs forms-newls-cwt-listener High LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash GHSA-9r5m-9576-7f6x / CVE-2026-33285
liquidjs forms-newls-cwt-listener High liquidjs has a path traversal fallback vulnerability GHSA-wmfp-5q7x-987x / CVE-2026-30952 10.25.0
lodash forms-newls-cwt-listener High lodash vulnerable to Code Injection via `_.template` imports key names GHSA-r5fr-rjxr-66jc / CVE-2026-4800 4.18.0
minimatch forms-newls-cwt-listener High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 3.1.3
minimatch forms-newls-cwt-listener High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 9.0.7
minimatch forms-newls-cwt-listener High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 10.2.3
picomatch forms-newls-cwt-listener High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 2.3.2
rollup forms-newls-cwt-listener High Rollup 4 has Arbitrary File Write via Path Traversal GHSA-mw96-cpmx-2vgc / CVE-2026-27606 4.59.0
serialize-javascript forms-newls-cwt-listener High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
undici forms-newls-cwt-listener High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 7.24.0
undici forms-newls-cwt-listener High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 7.24.0
undici forms-newls-cwt-listener High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 7.24.0
validator forms-newls-cwt-listener High Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements GHSA-vghf-hv5q-vc2g / CVE-2025-12758 13.15.22
vite forms-newls-cwt-listener High Vite: `server.fs.deny` bypassed with queries GHSA-v2wj-q39q-566r / CVE-2026-39364 7.3.2
vite forms-newls-cwt-listener High Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket GHSA-p9ff-h696-f583 / CVE-2026-39363 7.3.2
@babel/plugin-transform-modules-systemjs forms-notify-listener High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
@hapi/content forms-notify-listener High @hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing GHSA-jg4p-7fhp-p32p / CVE-2026-35213 6.0.1
basic-ftp forms-notify-listener High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-notify-listener High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-notify-listener High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
basic-ftp forms-notify-listener High basic-ftp has FTP Command Injection via CRLF GHSA-chqc-8p9q-pq6q / CVE-2026-39983 5.2.1
fast-uri forms-notify-listener High fast-uri vulnerable to host confusion via percent-encoded authority delimiters GHSA-v39h-62p7-jpjc / CVE-2026-6322 3.1.2
fast-uri forms-notify-listener High fast-uri vulnerable to path traversal via percent-encoded dot segments GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 3.1.1
fast-xml-builder forms-notify-listener High fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes GHSA-5wm8-gmm8-39j9 / CVE-2026-44665 1.1.7
liquidjs forms-notify-listener High liquidjs has a Denial of Service via circular block reference in layout GHSA-4rc3-7j7w-m548 / CVE-2026-41311 10.25.7
liquidjs forms-notify-listener High LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates GHSA-56p5-8mhr-2fph / CVE-2026-35525 10.25.3
serialize-javascript forms-notify-listener High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
undici forms-runner-acceptance-tests High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 7.24.0
undici forms-runner-acceptance-tests High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 7.24.0
undici forms-runner-acceptance-tests High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 7.24.0
flatted forms-runner-tests High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
@babel/plugin-transform-modules-systemjs forms-smoke-test High @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input GHSA-fv7c-fp4j-7gwp / CVE-2026-44728 7.29.4
basic-ftp forms-smoke-test High basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering GHSA-rpmf-866q-6p89 / CVE-2026-44240 5.3.1
basic-ftp forms-smoke-test High basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() GHSA-rp42-5vxx-qpwr / CVE-2026-41324 5.3.0
basic-ftp forms-smoke-test High basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands GHSA-6v7q-wjvx-w8wg 5.2.2
basic-ftp forms-smoke-test High basic-ftp has FTP Command Injection via CRLF GHSA-chqc-8p9q-pq6q / CVE-2026-39983 5.2.1
fast-xml-parser forms-smoke-test High fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) GHSA-8gc5-j5rx-235r / CVE-2026-33036 4.5.5
flatted forms-smoke-test High Prototype Pollution via parse() in NodeJS flatted GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 3.4.2
lodash forms-smoke-test High lodash vulnerable to Code Injection via `_.template` imports key names GHSA-r5fr-rjxr-66jc / CVE-2026-4800 4.18.0
minimatch forms-smoke-test High minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments GHSA-7r86-cg39-jmmj / CVE-2026-27903 3.1.3
minimatch forms-smoke-test High minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions GHSA-23c5-xmqv-rm74 / CVE-2026-27904 3.1.4
minimatch forms-smoke-test High minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern GHSA-3ppc-4f35-3m26 / CVE-2026-26996 3.1.3
picomatch forms-smoke-test High Picomatch has a ReDoS vulnerability via extglob quantifiers GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 2.3.2
serialize-javascript forms-smoke-test High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
undici forms-smoke-test High Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 6.24.0
undici forms-smoke-test High Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 6.24.0
undici forms-smoke-test High Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client GHSA-f269-vfmq-vjvj / CVE-2026-1528 6.24.0
serialize-javascript forms-submission-api High Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() GHSA-5c6j-r48x-rmvq 7.0.3
SonarSource/sonarqube-scan-action forms-submission-api High Argument injection vulnerability in SonarQube Scan Action GHSA-5xq9-5g24-4g6f / CVE-2025-59844 6.0.0
SonarSource/sonarqube-scan-action forms-submission-api High Argument injection vulnerability in SonarQube Scan Action GHSA-5xq9-5g24-4g6f / CVE-2025-59844 6.0.0

Medium 158 alerts

Package Repo Severity Advisory ID Fixed in
axios forms-acceptance-tests Medium Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream GHSA-445q-vr5w-6q77 / CVE-2026-42037 1.15.1
axios forms-acceptance-tests Medium Axios: no_proxy bypass via IP alias allows SSRF GHSA-m7pr-hjqh-92cm / CVE-2026-42038 1.15.1
axios forms-acceptance-tests Medium Axios: unbounded recursion in toFormData causes DoS via deeply nested request data GHSA-62hf-57xw-28j9 / CVE-2026-42039 1.15.1
axios forms-acceptance-tests Medium Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 GHSA-5c9x-8gcm-mpgx / CVE-2026-42034 1.15.1
axios forms-acceptance-tests Medium Axios: HTTP adapter streamed responses bypass maxContentLength GHSA-vf2m-468p-8v99 / CVE-2026-42036 1.15.1
axios forms-acceptance-tests Medium Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion GHSA-xx6v-rp6x-q39c / CVE-2026-42042 1.15.1
axios forms-acceptance-tests Medium Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy GHSA-w9j2-pvgh-6h63 / CVE-2026-42041 1.15.1
axios forms-acceptance-tests Medium Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` GHSA-3w6x-2g7m-8v23 / CVE-2026-42044 1.15.2
axios forms-acceptance-tests Medium Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF GHSA-3p68-rc4w-qgx5 / CVE-2025-62718 1.15.0
axios forms-acceptance-tests Medium Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain GHSA-fvcv-3m26-pcqx / CVE-2026-40175 1.15.0
brace-expansion forms-acceptance-tests Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 1.1.13
brace-expansion forms-acceptance-tests Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 2.0.3
browserstack-local forms-acceptance-tests Medium BrowserStack Local vulnerable to Command Injection through logfile variable GHSA-g4w6-c99w-4wh7 / CVE-2025-57283 1.5.9
fast-xml-parser forms-acceptance-tests Medium fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 5.7.0
fast-xml-parser forms-acceptance-tests Medium Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser GHSA-jp2q-39xq-3w4g / CVE-2026-33349 5.5.7
follow-redirects forms-acceptance-tests Medium follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets GHSA-r4q5-vmmm-2653 1.16.0
ip-address forms-acceptance-tests Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
js-yaml forms-acceptance-tests Medium js-yaml has prototype pollution in merge (<<) GHSA-mh29-5h37-fv8m / CVE-2025-64718 4.1.1
lodash forms-acceptance-tests Medium lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` GHSA-f23m-r3pf-42rh / CVE-2026-2950 4.18.0
lodash forms-acceptance-tests Medium Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions GHSA-xxjr-mmjv-4gpg / CVE-2025-13465 4.17.23
picomatch forms-acceptance-tests Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 2.3.2
picomatch forms-acceptance-tests Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 4.0.4
serialize-javascript forms-acceptance-tests Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
undici forms-acceptance-tests Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 7.24.0
undici forms-acceptance-tests Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 6.24.0
undici forms-acceptance-tests Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 7.24.0
undici forms-acceptance-tests Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 6.24.0
undici forms-acceptance-tests Medium Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion GHSA-g9mf-h72j-4rw9 / CVE-2026-22036 6.23.0
undici forms-acceptance-tests Medium Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion GHSA-g9mf-h72j-4rw9 / CVE-2026-22036 7.18.2
uuid forms-acceptance-tests Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
ws forms-acceptance-tests Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
yauzl forms-acceptance-tests Medium yauzl contains an off-by-one error GHSA-gmq8-994r-jv83 / CVE-2026-31988 3.2.1
ajv forms-adaptor-template Medium ajv has ReDoS when using `$data` option GHSA-2g4f-4pwh-qvx6 / CVE-2025-69873 6.14.0
brace-expansion forms-adaptor-template Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 1.1.13
fast-xml-parser forms-adaptor-template Medium fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 5.7.0
fast-xml-parser forms-adaptor-template Medium Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser GHSA-jp2q-39xq-3w4g / CVE-2026-33349 5.5.7
ip-address forms-adaptor-template Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
js-yaml forms-adaptor-template Medium js-yaml has prototype pollution in merge (<<) GHSA-mh29-5h37-fv8m / CVE-2025-64718 4.1.1
lodash forms-adaptor-template Medium lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` GHSA-f23m-r3pf-42rh / CVE-2026-2950 4.18.0
lodash forms-adaptor-template Medium Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions GHSA-xxjr-mmjv-4gpg / CVE-2025-13465 4.17.23
picomatch forms-adaptor-template Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 2.3.2
picomatch forms-adaptor-template Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 4.0.4
postcss forms-adaptor-template Medium PostCSS has XSS via Unescaped </style> in its CSS Stringify Output GHSA-qx2v-qp2m-jg93 / CVE-2026-41305 8.5.10
qs forms-adaptor-template Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
serialize-javascript forms-adaptor-template Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
undici forms-adaptor-template Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 7.24.0
undici forms-adaptor-template Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 7.24.0
undici forms-adaptor-template Medium Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion GHSA-g9mf-h72j-4rw9 / CVE-2026-22036 7.18.2
uuid forms-adaptor-template Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
validator forms-adaptor-template Medium validator.js has a URL validation bypass vulnerability in its isURL function GHSA-9965-vmph-33xx / CVE-2025-56200 13.15.20
vite forms-adaptor-template Medium Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling GHSA-4w7w-66w2-5vf9 / CVE-2026-39365 7.3.2
vite forms-adaptor-template Medium vite allows server.fs.deny bypass via backslash on Windows GHSA-93m4-6634-74q7 / CVE-2025-62522 7.1.11
webpack-dev-server forms-adaptor-template Medium webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins GHSA-79cf-xcqc-c78w / CVE-2026-6402 5.2.4
ws forms-adaptor-template Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
yaml forms-adaptor-template Medium yaml is vulnerable to Stack Overflow via deeply nested YAML collections GHSA-48c2-rrv3-qjmp / CVE-2026-33532 2.8.3
ip-address forms-audit-api Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
uuid forms-audit-api Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
brace-expansion forms-designer Medium brace-expansion: Large numeric range defeats documented `max` DoS protection GHSA-jxxr-4gwj-5jf2 / CVE-2026-45149 5.0.6
qs forms-designer Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
serialize-javascript forms-designer Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
uuid forms-designer Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
ws forms-designer Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
@babel/helpers forms-e2e-smoke-test Medium Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups GHSA-968p-4wvh-cqc8 / CVE-2025-27789 7.26.10
@babel/runtime forms-e2e-smoke-test Medium Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups GHSA-968p-4wvh-cqc8 / CVE-2025-27789 7.26.10
brace-expansion forms-e2e-smoke-test Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 2.0.3
ejs forms-e2e-smoke-test Medium ejs lacks certain pollution protection GHSA-ghr5-ch3p-vcr6 / CVE-2024-33883 3.1.10
ip-address forms-e2e-smoke-test Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
js-yaml forms-e2e-smoke-test Medium js-yaml has prototype pollution in merge (<<) GHSA-mh29-5h37-fv8m / CVE-2025-64718 4.1.1
lodash forms-e2e-smoke-test Medium lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` GHSA-f23m-r3pf-42rh / CVE-2026-2950 4.18.0
lodash forms-e2e-smoke-test Medium Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions GHSA-xxjr-mmjv-4gpg / CVE-2025-13465 4.17.23
micromatch forms-e2e-smoke-test Medium Regular Expression Denial of Service (ReDoS) in micromatch GHSA-952p-6rrq-rcjv / CVE-2024-4067 4.0.8
picomatch forms-e2e-smoke-test Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 2.3.2
serialize-javascript forms-e2e-smoke-test Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
serialize-javascript forms-e2e-smoke-test Medium Cross-site Scripting (XSS) in serialize-javascript GHSA-76p7-773f-r4q5 / CVE-2024-11831 6.0.2
ws forms-e2e-smoke-test Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
qs forms-engine-plugin Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
uuid forms-engine-plugin Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
brace-expansion forms-engine-plugin-example-ui Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 2.0.3
ip-address forms-engine-plugin-example-ui Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
liquidjs forms-engine-plugin-example-ui Medium LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read GHSA-v273-448j-v4qj / CVE-2026-39859 10.25.5
liquidjs forms-engine-plugin-example-ui Medium LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel GHSA-rv5g-f82m-qrvv / CVE-2026-39412 10.25.4
lodash forms-engine-plugin-example-ui Medium lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` GHSA-f23m-r3pf-42rh / CVE-2026-2950 4.18.0
picomatch forms-engine-plugin-example-ui Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 2.3.2
picomatch forms-engine-plugin-example-ui Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 4.0.4
protocol-buffers-schema forms-engine-plugin-example-ui Medium Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution GHSA-j452-xhg8-qg39 / CVE-2026-5758 3.6.1
serialize-javascript forms-engine-plugin-example-ui Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
uuid forms-engine-plugin-example-ui Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
yaml forms-engine-plugin-example-ui Medium yaml is vulnerable to Stack Overflow via deeply nested YAML collections GHSA-48c2-rrv3-qjmp / CVE-2026-33532 2.8.3
fast-xml-builder forms-entitlement-api Medium fast-xml-builder Comment Value regex can be bypassed GHSA-45c6-75p6-83cc / CVE-2026-44664 1.1.6
ip-address forms-entitlement-api Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
undici forms-entitlement-api Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 7.24.0
undici forms-entitlement-api Medium Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS GHSA-phc3-fgpg-7m6h / CVE-2026-2581 7.24.0
undici forms-entitlement-api Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 7.24.0
uuid forms-entitlement-api Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
fast-xml-parser forms-manager Medium fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 5.7.0
ip-address forms-manager Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
uuid forms-manager Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
ajv forms-newls-cwt-listener Medium ajv has ReDoS when using `$data` option GHSA-2g4f-4pwh-qvx6 / CVE-2025-69873 6.14.0
brace-expansion forms-newls-cwt-listener Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 1.1.13
fast-xml-parser forms-newls-cwt-listener Medium fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 5.7.0
fast-xml-parser forms-newls-cwt-listener Medium Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser GHSA-jp2q-39xq-3w4g / CVE-2026-33349 5.5.7
ip-address forms-newls-cwt-listener Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
js-yaml forms-newls-cwt-listener Medium js-yaml has prototype pollution in merge (<<) GHSA-mh29-5h37-fv8m / CVE-2025-64718 4.1.1
liquidjs forms-newls-cwt-listener Medium LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read GHSA-v273-448j-v4qj / CVE-2026-39859 10.25.5
liquidjs forms-newls-cwt-listener Medium LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel GHSA-rv5g-f82m-qrvv / CVE-2026-39412 10.25.4
lodash forms-newls-cwt-listener Medium lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` GHSA-f23m-r3pf-42rh / CVE-2026-2950 4.18.0
lodash forms-newls-cwt-listener Medium Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions GHSA-xxjr-mmjv-4gpg / CVE-2025-13465 4.17.23
picomatch forms-newls-cwt-listener Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 2.3.2
picomatch forms-newls-cwt-listener Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 4.0.4
postcss forms-newls-cwt-listener Medium PostCSS has XSS via Unescaped </style> in its CSS Stringify Output GHSA-qx2v-qp2m-jg93 / CVE-2026-41305 8.5.10
qs forms-newls-cwt-listener Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
serialize-javascript forms-newls-cwt-listener Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
undici forms-newls-cwt-listener Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 7.24.0
undici forms-newls-cwt-listener Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 7.24.0
undici forms-newls-cwt-listener Medium Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion GHSA-g9mf-h72j-4rw9 / CVE-2026-22036 7.18.2
uuid forms-newls-cwt-listener Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
validator forms-newls-cwt-listener Medium validator.js has a URL validation bypass vulnerability in its isURL function GHSA-9965-vmph-33xx / CVE-2025-56200 13.15.20
vite forms-newls-cwt-listener Medium Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling GHSA-4w7w-66w2-5vf9 / CVE-2026-39365 7.3.2
vite forms-newls-cwt-listener Medium vite allows server.fs.deny bypass via backslash on Windows GHSA-93m4-6634-74q7 / CVE-2025-62522 7.1.11
webpack-dev-server forms-newls-cwt-listener Medium webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins GHSA-79cf-xcqc-c78w / CVE-2026-6402 5.2.4
ws forms-newls-cwt-listener Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
yaml forms-newls-cwt-listener Medium yaml is vulnerable to Stack Overflow via deeply nested YAML collections GHSA-48c2-rrv3-qjmp / CVE-2026-33532 2.8.3
fast-xml-parser forms-notify-listener Medium fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 5.7.0
follow-redirects forms-notify-listener Medium follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets GHSA-r4q5-vmmm-2653 1.16.0
ip-address forms-notify-listener Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
liquidjs forms-notify-listener Medium LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read GHSA-v273-448j-v4qj / CVE-2026-39859 10.25.5
liquidjs forms-notify-listener Medium LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel GHSA-rv5g-f82m-qrvv / CVE-2026-39412 10.25.4
postcss forms-notify-listener Medium PostCSS has XSS via Unescaped </style> in its CSS Stringify Output GHSA-qx2v-qp2m-jg93 / CVE-2026-41305 8.5.10
qs forms-notify-listener Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
serialize-javascript forms-notify-listener Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
uuid forms-notify-listener Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
webpack-dev-server forms-notify-listener Medium webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins GHSA-79cf-xcqc-c78w / CVE-2026-6402 5.2.4
ws forms-notify-listener Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
qs forms-runner Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
useragent forms-runner Medium useragent Regular Expression Denial of Service vulnerability GHSA-mgfv-m47x-4wqp / CVE-2020-26311
uuid forms-runner Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
webpack-dev-server forms-runner Medium webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins GHSA-79cf-xcqc-c78w / CVE-2026-6402 5.2.4
ws forms-runner Medium ws: Uninitialized memory disclosure GHSA-58qx-3vcg-4xpx / CVE-2026-45736 8.20.1
undici forms-runner-acceptance-tests Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 7.24.0
undici forms-runner-acceptance-tests Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 7.24.0
undici forms-runner-acceptance-tests Medium Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion GHSA-g9mf-h72j-4rw9 / CVE-2026-22036 7.18.2
picomatch forms-runner-tests Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 4.0.4
uuid forms-runner-tests Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
uuid forms-sharepoint-listener Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
brace-expansion forms-smoke-test Medium brace-expansion: Zero-step sequence causes process hang and memory exhaustion GHSA-f886-m6hf-6m8v / CVE-2026-33750 2.0.3
esbuild forms-smoke-test Medium esbuild enables any website to send any requests to the development server and read the response GHSA-67mh-4wv8-2f99 0.25.0
fast-xml-parser forms-smoke-test Medium fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 5.7.0
fast-xml-parser forms-smoke-test Medium Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser GHSA-jp2q-39xq-3w4g / CVE-2026-33349 4.5.5
ip-address forms-smoke-test Medium ip-address has XSS in Address6 HTML-emitting methods GHSA-v2v4-37r5-5v8g / CVE-2026-42338 10.1.1
lodash forms-smoke-test Medium lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` GHSA-f23m-r3pf-42rh / CVE-2026-2950 4.18.0
picomatch forms-smoke-test Medium Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching GHSA-3v7f-55p6-f55p / CVE-2026-33672 2.3.2
serialize-javascript forms-smoke-test Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
undici forms-smoke-test Medium Undici has CRLF Injection in undici via `upgrade` option GHSA-4992-7rv2-5pvq / CVE-2026-1527 6.24.0
undici forms-smoke-test Medium Undici has an HTTP Request/Response Smuggling issue GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 6.24.0
qs forms-submission-api Medium qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 6.15.2
serialize-javascript forms-submission-api Medium Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 7.0.5
uuid forms-submission-api Medium uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq / CVE-2026-41907 11.1.1
webpack-dev-server forms-submission-api Medium webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins GHSA-79cf-xcqc-c78w / CVE-2026-6402 5.2.4

Low 20 alerts

Package Repo Severity Advisory ID Fixed in
axios forms-acceptance-tests Low Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams GHSA-xhjh-pmcv-23jw / CVE-2026-42040 1.15.1
diff forms-acceptance-tests Low jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch GHSA-73rr-hh4g-fpgx / CVE-2026-24001 5.2.2
diff forms-acceptance-tests Low jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch GHSA-73rr-hh4g-fpgx / CVE-2026-24001 8.0.3
fast-xml-parser forms-acceptance-tests Low fast-xml-parser has stack overflow in XMLBuilder with preserveOrder GHSA-fj3w-jwp8-x2g3 / CVE-2026-27942 5.3.8
@smithy/config-resolver forms-adaptor-template Low AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value GHSA-6475-r3vj-m8vf 4.4.0
fast-xml-parser forms-adaptor-template Low fast-xml-parser has stack overflow in XMLBuilder with preserveOrder GHSA-fj3w-jwp8-x2g3 / CVE-2026-27942 5.3.8
vite forms-adaptor-template Low Vite middleware may serve files starting with the same name with the public directory GHSA-g4jq-h2w9-997c / CVE-2025-58751 7.1.5
vite forms-adaptor-template Low Vite's `server.fs` settings were not applied to HTML files GHSA-jqfw-vq24-v9c3 / CVE-2025-58752 7.1.5
brace-expansion forms-e2e-smoke-test Low brace-expansion Regular Expression Denial of Service vulnerability GHSA-v6h2-p8h4-qcjw / CVE-2025-5889 2.0.2
diff forms-e2e-smoke-test Low jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch GHSA-73rr-hh4g-fpgx / CVE-2026-24001 5.2.2
tmp forms-e2e-smoke-test Low tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter GHSA-52f5-9888-hmc6 / CVE-2025-54798 0.2.4
liquidjs forms-engine-plugin-example-ui Low LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter GHSA-mmg9-6m6j-jqqx / CVE-2026-34166 10.25.3
@smithy/config-resolver forms-newls-cwt-listener Low AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value GHSA-6475-r3vj-m8vf 4.4.0
fast-xml-parser forms-newls-cwt-listener Low fast-xml-parser has stack overflow in XMLBuilder with preserveOrder GHSA-fj3w-jwp8-x2g3 / CVE-2026-27942 5.3.8
liquidjs forms-newls-cwt-listener Low LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter GHSA-mmg9-6m6j-jqqx / CVE-2026-34166 10.25.3
vite forms-newls-cwt-listener Low Vite middleware may serve files starting with the same name with the public directory GHSA-g4jq-h2w9-997c / CVE-2025-58751 7.1.5
vite forms-newls-cwt-listener Low Vite's `server.fs` settings were not applied to HTML files GHSA-jqfw-vq24-v9c3 / CVE-2025-58752 7.1.5
liquidjs forms-notify-listener Low LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter GHSA-mmg9-6m6j-jqqx / CVE-2026-34166 10.25.3
undici forms-runner-acceptance-tests Low undici Denial of Service attack via bad certificate data GHSA-cxrh-j4jr-qwg3 / CVE-2025-47279 7.5.0
tmp forms-smoke-test Low tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter GHSA-52f5-9888-hmc6 / CVE-2025-54798 0.2.4