Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| pug-code-gen(npm) | 0 | 3.0.3 | N/A |
| pug(npm) | 0 | 3.0.3 | N/A |
CVSS Metrics
