Ermilov

**Name of the Vulnerable Software and Affected Versions** jsreport versions 2.5.0 and earlier **Description** The issue allows attackers to execute arbitrary code due to unintended require and server-side request forgery vulnerabilities. **Recommendations** For jsreport versions 2.5.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** script-manager versions 0.8.6 and earlier **Description** The issue is related to an unintended require vulnerability that may allow attackers to execute arbitrary code. **Recommendations** For script-manager versions 0.8.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** larvitbase-api versions prior to 0.5.4 **Description** The issue allows an attacker to load arbitrary non-production code, specifically JavaScript files, due to an unintended require vulnerability. This is possible because the package exposes an API endpoint and passes a GET parameter unsanitized to a require() call, allowing attackers to execute any .js file in the same folder as the server is running. **Recommendations** Upgrade to version 0.5.4 or later.