Search for packages
| purl | pkg:npm/pug@3.0.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6413-jwmk-zfc3
Aliases: CVE-2024-36361 GHSA-3965-hpx2-q597 |
Pug allows JavaScript code execution if an application accepts untrusted input Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1kt8-hnue-fuaf | Remote code execution via the `pretty` option. If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. |
CVE-2021-21353
GHSA-p493-635q-r6gr |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-07T20:44:54.835923+00:00 | GHSA Importer | Fixing | VCID-1kt8-hnue-fuaf | https://github.com/advisories/GHSA-p493-635q-r6gr | 38.6.0 |
| 2026-06-06T04:58:15.906335+00:00 | GitLab Importer | Affected by | VCID-6413-jwmk-zfc3 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pug/CVE-2024-36361.yml | 38.6.0 |
| 2026-06-04T17:32:40.959457+00:00 | GithubOSV Importer | Fixing | VCID-1kt8-hnue-fuaf | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-p493-635q-r6gr/GHSA-p493-635q-r6gr.json | 38.6.0 |
| 2026-06-04T16:20:50.807966+00:00 | GitLab Importer | Fixing | VCID-1kt8-hnue-fuaf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pug/CVE-2021-21353.yml | 38.6.0 |