[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-24001, CVE-2026-2950, CVE-2026-33750 and others, fix before 2026-04-26

> [!IMPORTANT]
> CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE THE DEADLINE IN THE TITLE.
>
> DO NOT MANUALLY MODIFY THE ISSUE TITLE OR TEXT BODY.

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33937</ins> CRITICAL</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33937</ins> **CRITICAL** remediate by: 2026-04-26T22:19:27.887Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/53

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33937
> - https://github.com/advisories/GHSA-2w6w-674q-4c4q
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33941</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33941</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/52

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33941
> - https://github.com/advisories/GHSA-xjpj-3mr7-gcpf
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33940</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33940</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/49

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33940
> - https://github.com/advisories/GHSA-xhpv-hc6g-r9c6
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33938</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33938</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/50

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33938
> - https://github.com/advisories/GHSA-3mfm-83xf-c92r
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33939</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33939</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/51

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33939
> - https://github.com/advisories/GHSA-9cx6-37pm-9jff
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>GHSA-442j-39wm-28r2</ins> LOW</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>GHSA-442j-39wm-28r2</ins> **LOW** remediate by: 2026-06-27T22:22:40.282Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/57

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://github.com/advisories/GHSA-442j-39wm-28r2
> 
> </details>

</details>

<details><summary>FIXED <code>npm-serialize-javascript <= 7.0.2</code> <ins>GHSA-5c6j-r48x-rmvq</ins> HIGH</summary>

`npm-serialize-javascript <= 7.0.2` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>GHSA-5c6j-r48x-rmvq</ins> **HIGH** remediate by: 2026-04-29T22:15:21.750Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/40

> <details><summary>Related URLs</summary>
> 
> - https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq
> - https://nvd.nist.gov/vuln/detail/CVE-2020-7660
> - https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9
> - https://github.com/advisories/GHSA-hxcc-f52p-wc94
> - https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
> - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash-es >= 4.0.0, <= 4.17.23</code> <ins>CVE-2026-4800</ins> HIGH</summary>

`npm-lodash-es >= 4.0.0, <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-4800</ins> **HIGH** remediate by: 2026-05-02T14:38:24.409Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/59

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4800
> - https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
> - https://cna.openjsf.org/security-advisories.html
> - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
> - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash >= 4.0.0, <= 4.17.23</code> <ins>CVE-2026-4800</ins> HIGH</summary>

`npm-lodash >= 4.0.0, <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-4800</ins> **HIGH** remediate by: 2026-05-10T06:21:04.459Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/60

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4800
> - https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
> - https://cna.openjsf.org/security-advisories.html
> - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
> - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, < 4.7.9</code> <ins>CVE-2026-33916</ins> MEDIUM</summary>

`npm-handlebars >= 4.0.0, < 4.7.9` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33916</ins> **MEDIUM** remediate by: 2026-05-26T06:15:32.686Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/47

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
> - https://nvd.nist.gov/vuln/detail/CVE-2021-23369
> - https://nvd.nist.gov/vuln/detail/CVE-2021-23383
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33916
> - https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
> 
> </details>

</details>

<details><summary>FIXED <code>npm-brace-expansion >= 4.0.0, < 5.0.5</code> <ins>CVE-2026-33750</ins> MEDIUM</summary>

`npm-brace-expansion >= 4.0.0, < 5.0.5` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33750</ins> **MEDIUM** remediate by: 2026-05-26T22:19:28.497Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/48

> <details><summary>Related URLs</summary>
> 
> - https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
> - https://github.com/juliangruber/brace-expansion/issues/98
> - https://github.com/juliangruber/brace-expansion/pull/95
> - https://github.com/juliangruber/brace-expansion/pull/96
> - https://github.com/juliangruber/brace-expansion/pull/97
> - https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
> - https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
> - https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33750
> - https://github.com/advisories/GHSA-f886-m6hf-6m8v
> 
> </details>

</details>

<details><summary>FIXED <code>npm-serialize-javascript < 7.0.5</code> <ins>CVE-2026-34043</ins> MEDIUM</summary>

`npm-serialize-javascript < 7.0.5` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-34043</ins> **MEDIUM** remediate by: 2026-05-28T14:18:26.573Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/54

> <details><summary>Related URLs</summary>
> 
> - https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
> - https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
> - https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
> - https://nvd.nist.gov/vuln/detail/CVE-2026-34043
> - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
> 
> </details>

</details>

<details><summary>FIXED <code>npm-brace-expansion >= 2.0.0, < 2.0.3</code> <ins>CVE-2026-33750</ins> MEDIUM</summary>

`npm-brace-expansion >= 2.0.0, < 2.0.3` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-33750</ins> **MEDIUM** remediate by: 2026-05-28T22:22:39.992Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/55

> <details><summary>Related URLs</summary>
> 
> - https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
> - https://github.com/juliangruber/brace-expansion/issues/98
> - https://github.com/juliangruber/brace-expansion/pull/95
> - https://github.com/juliangruber/brace-expansion/pull/96
> - https://github.com/juliangruber/brace-expansion/pull/97
> - https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
> - https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
> - https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33750
> - https://github.com/advisories/GHSA-f886-m6hf-6m8v
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.6.0, <= 4.7.8</code> <ins>GHSA-7rx3-28cr-v5wh</ins> MEDIUM</summary>

`npm-handlebars >= 4.6.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>GHSA-7rx3-28cr-v5wh</ins> **MEDIUM** remediate by: 2026-05-28T22:22:39.992Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/56

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh
> - https://github.com/advisories/GHSA-765h-qjxv-5f44
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://github.com/advisories/GHSA-7rx3-28cr-v5wh
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash-es <= 4.17.23</code> <ins>CVE-2026-2950</ins> MEDIUM</summary>

`npm-lodash-es <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-2950</ins> **MEDIUM** remediate by: 2026-06-01T14:38:24.736Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/58

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
> - https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
> - https://nvd.nist.gov/vuln/detail/CVE-2026-2950
> - https://github.com/advisories/GHSA-f23m-r3pf-42rh
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash <= 4.17.23</code> <ins>CVE-2026-2950</ins> MEDIUM</summary>

`npm-lodash <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-2950</ins> **MEDIUM** remediate by: 2026-06-09T14:23:14.879Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/61

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
> - https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
> - https://nvd.nist.gov/vuln/detail/CVE-2026-2950
> - https://github.com/advisories/GHSA-f23m-r3pf-42rh
> 
> </details>

</details>

<details><summary>FIXED <code>npm-diff >= 6.0.0, < 8.0.3</code> <ins>CVE-2026-24001</ins> LOW</summary>

`npm-diff >= 6.0.0, < 8.0.3` CODE_REPOSITORY/commercelayer-cli-plugin-links <ins>CVE-2026-24001</ins> **LOW** remediate by: 2026-06-28T22:15:22.360Z
- https://github.com/commercelayer/commercelayer-cli-plugin-links/security/dependabot/45

> <details><summary>Related URLs</summary>
> 
> - https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx
> - https://github.com/kpdecker/jsdiff/pull/649
> - https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5
> - https://github.com/kpdecker/jsdiff/issues/653
> - https://nvd.nist.gov/vuln/detail/CVE-2026-24001
> - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
> 
> </details>

</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-24001, CVE-2026-2950, CVE-2026-33750 and others, fix before 2026-04-26 #7

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-24001, CVE-2026-2950, CVE-2026-33750 and others, fix before 2026-04-26 #7

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions