VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ch36-st1p-2khy

Essentials
Severities (11)
References (6)
Severity details (9)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ch36-st1p-2khy
Aliases	CVE-2021-23389 GHSA-7fm6-gxqg-2pwr
Summary	Code Injection The package total.js are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-94	Improper Control of Generation of Code ('Code Injection')

System	Score	Found at
epss	0.0534	https://api.first.org/data/v1/epss?cve=CVE-2021-23389
epss	0.0534	https://api.first.org/data/v1/epss?cve=CVE-2021-23389
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-7fm6-gxqg-2pwr
cvssv3.1	9.8	https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631
generic_textual	CRITICAL	https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631
cvssv3.1	9.8	https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3
generic_textual	CRITICAL	https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-23389
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2021-23389
cvssv3.1	9.8	https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607
generic_textual	CRITICAL	https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2021-23389
		https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631
		https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3
		https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607
CVE-2021-23389		https://nvd.nist.gov/vuln/detail/CVE-2021-23389
GHSA-7fm6-gxqg-2pwr		https://github.com/advisories/GHSA-7fm6-gxqg-2pwr

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23389

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.9023
EPSS Score	0.0534
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:39:28.481886+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/total.js/CVE-2021-23389.yml	38.6.0