Search for packages
| purl | pkg:npm/pug-code-gen@2.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1kt8-hnue-fuaf
Aliases: CVE-2021-21353 GHSA-p493-635q-r6gr |
Remote code execution via the `pretty` option. If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-6413-jwmk-zfc3
Aliases: CVE-2024-36361 GHSA-3965-hpx2-q597 |
Pug allows JavaScript code execution if an application accepts untrusted input Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T04:58:25.138901+00:00 | GitLab Importer | Affected by | VCID-6413-jwmk-zfc3 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pug-code-gen/CVE-2024-36361.yml | 38.6.0 |
| 2026-06-04T20:45:46.725234+00:00 | GitLab Importer | Affected by | VCID-1kt8-hnue-fuaf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pug-code-gen/CVE-2021-21353.yml | 38.6.0 |