Description
If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
Recommendation
Update the pug package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.1
- Patched version(s): 3.0.1
References
Related Issues
- OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment - CVE-2026-41900
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
You might also like:
- Tags:
- npm
- pug
Anything's wrong? Let us know Last updated on May 28, 2025


