Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package ejs, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (5)
CVE-2017-1000228 — CVSS 9.8 (critical): nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
CVE-2022-29078 — CVSS 9.8 (critical): The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view…
CVE-2017-1000189 — CVSS 7.5 (high): nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
CVE-2017-1000188 — CVSS 6.1 (medium): nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection
CVE-2024-33883 — CVSS 4.0 (medium): The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.