Repos / ourbigbook__ourbigbook / Security

Security: Ourbigbook

218
Vulnerabilities
41
Credential Leaks

AI Fix Prompts

Auto-generated prompts to fix every issue — copy into Claude, GPT, or any AI coder

View AI Prompts

Vulnerabilities (218)

Source: Repobility analyzer (https://repobility.com)
SeverityIDPackageVersionSummary
criticalCVE-2025-62718axios1.7.7Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
criticalGHSA-f82v-jwr5-mffwnext14.0.4
criticalCVE-2025-7783form-data2.3.3form-data: Unsafe random function in form-data
criticalGHSA-f598-mfpv-gmfxsequelize6.14.0
criticalGHSA-vqfx-gj96-3w95sequelize6.14.0
criticalGHSA-7f3x-x4pr-wqhjparse-url6.0.0
criticalGHSA-m7jm-9gc2-mpf2fast-xml-parser5.2.5
criticalCVE-2023-22578sequelize6.14.0Sequelize - Default support for “raw attributes” when using parentheses
criticalCVE-2023-22579sequelize6.14.0Unsafe fall-through in getWhereConditions
criticalGHSA-fjxv-7rqg-78g4form-data1.0.1
criticalGHSA-j9fq-vwqv-2fm2parse-url6.0.0
criticalGHSA-wrh9-cjv3-2hpwsequelize6.14.0
criticalGHSA-jf85-cpcp-j695lodash3.10.1
criticalGHSA-gwg9-rgvj-4h5jmorgan1.7.0
criticalGHSA-3p68-rc4w-qgx5axios0.19.2
criticalCVE-2023-25813sequelize6.14.0Sequelize vulnerable to SQL Injection via replacements
criticalGHSA-5p42-m6f3-hpmjtree-kit0.7.4
criticalCVE-2022-2900parse-url6.0.5Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url
highGHSA-fr5h-rqp8-mj6gnext14.0.4
highCVE-2024-4068braces3.0.2braces: fails to limit the number of characters it can handle
highCVE-2026-33285liquidjs10.21.1LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
highCVE-2026-33287liquidjs10.21.1LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
highCVE-2026-35525liquidjs10.21.1LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
highGHSA-6q5m-63h6-5x4vliquidjs10.21.1
highGHSA-9r5m-9576-7f6xliquidjs10.21.1
highCVE-2025-12758validator13.11.0Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
highCVE-2021-23337lodash4.17.20nodejs-lodash: command injection via template
highCVE-2026-4800lodash4.17.20lodash: lodash: Arbitrary code execution via untrusted input in template imports
highGHSA-r5fr-rjxr-66jclodash4.17.20
highGHSA-gqgv-6jq5-jjj9qs4.0.0
highGHSA-4p35-cfcx-8653parse-url6.0.0
highCVE-2026-26996minimatch3.1.2minimatch: minimatch: Denial of Service via specially crafted glob patterns
highCVE-2026-27903minimatch3.1.2minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
highCVE-2026-27904minimatch3.1.2minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
highCVE-2022-29244npm8.7.0nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace
highCVE-2022-0624parse-path4.0.4Authorization Bypass in parse-path
highGHSA-rcmh-qjqh-p98vnodemailer7.0.5
highCVE-2026-33671picomatch2.3.1picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
highGHSA-c429-5p7v-vgjphoek2.16.3
highGHSA-hrpp-h998-j3ppqs4.0.0
highCVE-2026-31802tar2.2.2tar: tar: File overwrite via drive-relative symlink traversal
highGHSA-9vvw-cc9w-f27hdebug2.2.0
highCVE-2022-25883semver5.3.0nodejs-semver: Regular expression denial of service
highCVE-2026-30951sequelize6.14.0sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing
highGHSA-8cf7-32gw-wr33jsonwebtoken5.7.0
highCVE-2022-21227sqlite35.0.2sqlite3: Denial of Service (DoS) in sqlite3
highCVE-2022-43441sqlite35.0.2A code execution vulnerability exists in the Statement Bindings functi ...
highCVE-2021-32804tar2.2.2nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
highCVE-2021-37713tar2.2.2nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
highCVE-2026-23745tar2.2.2node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives

Credential Findings (41)

Repobility analysis · methodology at https://repobility.com/research/
SeverityPatternFileLine
criticalVault Tokenweb/front/EditorPage.tsx383
criticalVault Tokeneditor.js33
criticalVault Tokeneditor.js61
criticalVault Tokeneditor.js181
criticalVault Tokeneditor.js191
criticalVault Tokeneditor.js194
criticalVault Tokeneditor.js372
criticalDatabase URL with Passwordnodejs_webpack_safe.js731
criticalVault Tokentodo.bigb85
criticalVault Tokentodo.bigb106
criticalVault Tokenvscode/src/extension.ts365
criticalVault Tokenvscode/src/extension.ts541
criticalVault Tokenvscode/src/extension.ts636
criticalVault Tokenvscode/src/extension.ts703
critical[sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Dataweb/api/min.js18
critical[sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Dataweb/api/min.js45
criticalVault Tokenweb/back/IssuePage.ts74
criticalVault Tokenweb/bin/rerender-articles.js28
criticalVault Tokeneditor.js27
criticalVault Tokenweb/models/site.js22
criticalVault Tokenweb/models/user.js300
criticalVault Tokenweb/models/user.js369
criticalVault Tokenweb/models/user.js381
criticalVault Tokenweb/models/user.js479
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmenteditor.js254
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmenteditor.js283
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmenteditor.js292
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLweb/front/EditorPage.tsx90
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLnodejs_webpack_safe.js415
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLnodejs_webpack_safe.js428
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmentourbigbook_runtime.js410
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmentourbigbook_runtime.js416
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLweb/front/fetcher.ts22
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmentweb/front/Article.tsx906
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmentweb/front/Article.tsx916
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmentweb/front/Article.tsx921
high[sast:aljefra/xss-innerhtml] XSS via innerHTML Assignmentweb/front/Article.tsx1028
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLweb_api.js213
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLweb/front/EditorPage.tsx67
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLweb/front/EditorPage.tsx82
high[sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URLweb/api/users.js261

Export

SARIF SBOM (CycloneDX) SBOM (SPDX) Vulns CSV Generate AI Fix Prompts (5)