CVE-2024-36361
MEDIUMPug <=3.0.2 - Code Execution via Untrusted Template Name Option
Title source: manualDescription
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
References (2)
Core 2
Core References
Various Sources
https://pugjs.org/api/reference.html
Issue Tracking
https://github.com/pugjs/pug/pull/3428
Scores
CVSS v3
6.8
EPSS
0.0036
EPSS Percentile
58.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
npm/pug
0 - 3.0.3npm
npm/pug-code-gen
0 - 3.0.3npm
Published
May 24, 2024
Tracked Since
Feb 18, 2026