CVE-2020-7640

CRITICAL

pixl-class < 1.0.3 - OS Command Injection via Unsanitized Members Argument

Title source: llm

Description

pixl-class prior to 1.0.3 allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-PIXLCLASS-564968

Patch, Third Party Advisory

https://github.com/jhuckaby/pixl-class/commit/47677a3638e3583e42f3a05cc7f0b30293d2acc8

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/jhuckaby/pixl-class/commit/47677a3638e3583e42f3a05cc7f0b30293d2acc8%2C

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0214

EPSS Percentile 79.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

npm/pixl-class 0 - 1.0.3npm

pixlcore/pixl-class < 1.0.3

Published Apr 27, 2020

Tracked Since Feb 18, 2026