彙總 ejs 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 輸入驗證問題與跨站腳本,在 生產負載與軟體部署 使用場景中可能帶來 異常行為與工作階段劫持 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2023-29827 | ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input. | [email protected] | 9.8 | 5.55% | 2023-05-04 | 2026-06-17 |
| CVE-2022-29078 | The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation). | [email protected] | 9.8 | 32.39% | 2022-04-25 | 2026-06-17 |
| CVE-2017-1000228 | nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function | [email protected] | 9.8 | 6.33% | 2017-11-16 | 2026-06-16 |
| CVE-2017-1000189 | nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile() | [email protected] | 7.5 | 2.27% | 2017-11-16 | 2026-06-16 |
| CVE-2017-1000188 | nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection | [email protected] | 6.1 | 1.23% | 2017-11-16 | 2026-06-16 |