Name of the Vulnerable Software and Affected Versions domokeeper versions (all)

Description The issue allows for Local File Inclusion, where the /plugin/ route passes a GET parameter unsanitized to a require() call, returning the output in the server response. This could enable attackers to load unintended code or exfiltrate information from .json files.

Recommendations For all versions, consider using an alternative package until a fix is made available. As a temporary workaround, consider restricting access to the /plugin/ route to minimize the risk of exploitation. Avoid using the require() function with unsanitized input until the issue is resolved.