Skip to content

vitawind-2.2.4.tgz: 5 vulnerabilities (highest severity is: 6.1) #10

Description

@mend-bolt-for-github
Vulnerable Library - vitawind-2.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (vitawind version) Remediation Possible**
CVE-2026-41305 Medium 6.1 postcss-8.4.16.tgz Transitive 2.3.0
CVE-2024-4067 Medium 5.3 micromatch-4.0.5.tgz Transitive 2.3.0
CVE-2023-44270 Medium 5.3 postcss-8.4.16.tgz Transitive 2.3.0
CVE-2026-9358 Medium 4.3 postcss-selector-parser-6.0.10.tgz Transitive N/A*
CVE-2026-33532 Medium 4.3 yaml-1.10.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-41305

Vulnerable Library - postcss-8.4.16.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.16.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy:

  • vitawind-2.2.4.tgz (Root Library)
    • postcss-8.4.16.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

Publish Date: 2026-04-24

URL: CVE-2026-41305

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qx2v-qp2m-jg93

Release Date: 2026-04-24

Fix Resolution (postcss): 8.5.10

Direct dependency fix Resolution (vitawind): 2.3.0

Step up your Open Source Security Game with Mend here

CVE-2024-4067

Vulnerable Library - micromatch-4.0.5.tgz

Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/package.json

Dependency Hierarchy:

  • vitawind-2.2.4.tgz (Root Library)
    • tailwindcss-3.1.8.tgz
      • fast-glob-3.2.11.tgz
        • micromatch-4.0.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.braces()" in "index.js" because the pattern ".*" will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.

Publish Date: 2024-05-13

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution (micromatch): 4.0.8

Direct dependency fix Resolution (vitawind): 2.3.0

Step up your Open Source Security Game with Mend here

CVE-2023-44270

Vulnerable Library - postcss-8.4.16.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.16.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy:

  • vitawind-2.2.4.tgz (Root Library)
    • postcss-8.4.16.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7fh5-64p2-3v2j

Release Date: 2023-09-29

Fix Resolution (postcss): 8.4.31

Direct dependency fix Resolution (vitawind): 2.3.0

Step up your Open Source Security Game with Mend here

CVE-2026-9358

Vulnerable Library - postcss-selector-parser-6.0.10.tgz

> Selector parser with built in methods for working with selector strings.

Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss-selector-parser/package.json

Dependency Hierarchy:

  • vitawind-2.2.4.tgz (Root Library)
    • tailwindcss-3.1.8.tgz
      • postcss-selector-parser-6.0.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.

Publish Date: 2026-05-24

URL: CVE-2026-9358

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2026-33532

Vulnerable Library - yaml-1.10.2.tgz

JavaScript parser and stringifier for YAML

Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yaml/package.json

Dependency Hierarchy:

  • vitawind-2.2.4.tgz (Root Library)
    • tailwindcss-3.1.8.tgz
      • postcss-load-config-3.1.4.tgz
        • yaml-1.10.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

"yaml" is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of "yaml" on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a "RangeError: Maximum call stack size exceeded" with a small payload (~2–10 KB). The "RangeError" is not a "YAMLParseError", so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one "[" and one "]"). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's "Parser" (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: "YAML.parse()", "YAML.parseDocument()", and "YAML.parseAllDocuments()". Versions 1.10.3 and 2.8.3 contain a patch.

Publish Date: 2026-03-26

URL: CVE-2026-33532

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/eemeli/yaml.git - v1.10.3,https://github.com/eemeli/yaml.git - v2.8.3

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions