Forbes Lindesay

**Name of the Vulnerable Software and Affected Versions** pug versions prior to 3.0.1 pug-code-gen versions prior to 2.0.3 **Description** The issue is related to the insufficient neutralization of special elements in the output of the Pug HTML preprocessor, specifically in the VisitMixin and visitMixinBlock functions. This can allow a remote attacker to execute arbitrary code if they can control the `pretty` option of the pug compiler, for example, by spreading a user-provided object into the pug template inputs. **Recommendations** For pug versions prior to 3.0.1, upgrade to version 3.0.1 or later. For pug-code-gen versions prior to 2.0.3, upgrade to version 2.0.3 or later. As a temporary workaround, consider compiling templates in advance before applying user input to them, to prevent un-trusted input from being passed to pug as the `pretty` option.