Description
This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.
Recommendation
Update the djv package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.4
- Patched version(s): 2.1.4
References
Related Issues
- Joplin is vulnerable to arbitrary code execution - CVE-2022-35131
- React Editable Json Tree vulnerable to arbitrary code execution via function parsing - CVE-2022-36010
- Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940
- Arbitrary code execution in protobufjs - CVE-2026-41242
You might also like:
- Tags:
- npm
- djv
Anything's wrong? Let us know Last updated on February 01, 2023