ghsa

A command injection vulnerability affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js

All versions of package git-archive are vulnerable to Command Injection via the exports function.

A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is [deprecated](https://github.com/ianwalter/merge/blob/master/README.md) and the maintainer suggests using [@generates/merger](https://github.com/generates/generates/tree/main/packages/merger) instead.

A command injection vulnerability affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.

The package ntesseract before 0.2.9 is vulnerable to Command Injection via lib/tesseract.js.

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).