Ejs

ejs

Vendor: Ejs • 5 CVEs

CVEs (5)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-29827 1Ejs 1Ejs Dec 3, 2025 May 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is dispute...Show more ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.Show less
CVE-2022-29078 1Ejs 1Ejs Nov 21, 2024 Apr 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFu...Show more The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).Show less
CVE-2017-1000228 1Ejs 1Ejs May 13, 2026 Nov 17, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
CVE-2017-1000189 1Ejs 1Ejs May 13, 2026 Nov 17, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
CVE-2017-1000188 1Ejs 1Ejs May 13, 2026 Nov 17, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection