ejs

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting ejspage 1 of 1

CVE-2017-1000188MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.5.5
2017-11-17
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection
CVE-2017-1000189HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.5
2017-11-17
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
CVE-2017-1000228CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.5.5
2017-11-17
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
CVE-2022-29078CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.7
2022-04-25
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option w…
CVE-2024-33883MEDIUMCVSS 4.0EG 4.0✓ Fixed in 3.1.10
2024-04-28
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Check whether ejs is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for ejs CVEs against the assets you own.

Start Free Scan →