Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dy27-1mgt-skf1
Vulnerability ID VCID-dy27-1mgt-skf1
Aliases CVE-2024-36361
GHSA-3965-hpx2-q597
Summary Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-94 Improper Control of Generation of Code ('Code Injection')
System Score Found at
epss 0.00363 https://api.first.org/data/v1/epss?cve=CVE-2024-36361
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-3965-hpx2-q597
cvssv3.1 6.8 https://github.com/pugjs/pug/pull/3428
ssvc Track* https://github.com/pugjs/pug/pull/3428
cvssv3.1 6.8 https://pugjs.org/api/reference.html
ssvc Track* https://pugjs.org/api/reference.html
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-36361
https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328
https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb
https://github.com/pugjs/pug/pull/3438
https://github.com/pugjs/pug/releases/tag/pug%403.0.3
https://www.npmjs.com/package/pug-code-gen
3428 https://github.com/pugjs/pug/pull/3428
CVE-2024-36361 https://nvd.nist.gov/vuln/detail/CVE-2024-36361
GHSA-3965-hpx2-q597 https://github.com/advisories/GHSA-3965-hpx2-q597
reference.html https://pugjs.org/api/reference.html
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/pugjs/pug/pull/3428
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-06T15:59:41Z/ Found at https://github.com/pugjs/pug/pull/3428
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://pugjs.org/api/reference.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-06T15:59:41Z/ Found at https://pugjs.org/api/reference.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.58793
EPSS Score 0.00363
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:33:44.583675+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/36xxx/CVE-2024-36361.json 38.6.0