MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827

Severity:: Medium

Description

MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type=”css” case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.

Recommendation

No fix is available yet. Followings are affected versions:

<= 4.18.0

References

GHSA-45h5-66jx-r2wf
CVE-2025-67898
CWE-36
CAPEC-310
OWASP 2021-A6

Related Issues

Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
MJML vulnerable to path traversal - CVE-2020-12827

Tags:: npm; mjml

Anything's wrong? Let us know Last updated on December 17, 2025