Description
Affected versions of jsrender are susceptible to a remote code execution vulnerability when used with server delivered client-side tempates which dynamically embed user input.
Recommendation
Update the jsrender package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.9.73
- Patched version(s): 0.9.74
References
Related Issues
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - @strapi/plugin-email - CVE-2023-22621
- lodash vulnerable to Code Injection via `_.template` imports key names - lodash-amd - CVE-2026-4800
- CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177
- lodash vulnerable to Code Injection via `_.template` imports key names - lodash-es - CVE-2026-4800
You might also like:
- Tags:
- npm
- jsrender
Anything's wrong? Let us know Last updated on September 07, 2023


