Luke Edwards

3 exploits Active since Nov 2021
CVE-2021-23784 WRITEUP MEDIUM WRITEUP
Tempura < 0.4.0 - XSS
This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.
CVSS 5.4
CVE-2024-21529 WRITEUP HIGH WRITEUP
NPM Dset < 3.1.4 - Prototype Pollution
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
CVSS 8.2
CVE-2025-58751 WRITEUP MEDIUM WRITEUP
Vite <7.1.5, <7.0.7, <6.3.6, <5.4.20 - Auth Bypass
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
CVSS 5.3