[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-2950, CVE-2026-33750, CVE-2026-33916 and others, fix before 2026-04-26

[commercelayer-ci]

Important

CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE THE DEADLINE IN THE TITLE.

DO NOT MANUALLY MODIFY THE ISSUE TITLE OR TEXT BODY.

FIXED npm-handlebars >= 4.0.0, <= 4.7.8 CVE-2026-33937 CRITICAL

npm-handlebars >= 4.0.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33937 CRITICAL remediate by: 2026-04-26T22:19:27.887Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/58

Related URLs

• GHSA-2w6w-674q-4c4q
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33937
• GHSA-2w6w-674q-4c4q

FIXED npm-handlebars >= 4.0.0, <= 4.7.8 CVE-2026-33941 HIGH

npm-handlebars >= 4.0.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33941 HIGH remediate by: 2026-04-26T22:19:28.149Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/56

Related URLs

• GHSA-xjpj-3mr7-gcpf
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33941
• GHSA-xjpj-3mr7-gcpf

FIXED npm-handlebars >= 4.0.0, <= 4.7.8 CVE-2026-33940 HIGH

npm-handlebars >= 4.0.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33940 HIGH remediate by: 2026-04-26T22:19:28.149Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/57

Related URLs

• GHSA-xhpv-hc6g-r9c6
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33940
• GHSA-xhpv-hc6g-r9c6

FIXED npm-handlebars >= 4.0.0, <= 4.7.8 CVE-2026-33938 HIGH

npm-handlebars >= 4.0.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33938 HIGH remediate by: 2026-04-26T22:19:28.149Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/59

Related URLs

• GHSA-3mfm-83xf-c92r
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33938
• GHSA-3mfm-83xf-c92r

FIXED npm-handlebars >= 4.0.0, <= 4.7.8 CVE-2026-33939 HIGH

npm-handlebars >= 4.0.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33939 HIGH remediate by: 2026-04-26T22:19:28.149Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/60

Related URLs

• GHSA-9cx6-37pm-9jff
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33939
• GHSA-9cx6-37pm-9jff

FIXED npm-handlebars >= 4.0.0, <= 4.7.8 GHSA-442j-39wm-28r2 LOW

npm-handlebars >= 4.0.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning GHSA-442j-39wm-28r2 LOW remediate by: 2026-06-27T22:22:40.282Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/63

Related URLs

• GHSA-442j-39wm-28r2
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• GHSA-442j-39wm-28r2

FIXED npm-lodash-es >= 4.0.0, <= 4.17.23 CVE-2026-4800 HIGH

npm-lodash-es >= 4.0.0, <= 4.17.23 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-4800 HIGH remediate by: 2026-05-02T14:38:24.409Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/66

Related URLs

• GHSA-r5fr-rjxr-66jc
• https://nvd.nist.gov/vuln/detail/CVE-2026-4800
• lodash/lodash@3469357
• https://cna.openjsf.org/security-advisories.html
• GHSA-35jh-r3h4-6jhm
• GHSA-r5fr-rjxr-66jc

FIXED npm-lodash >= 4.0.0, <= 4.17.23 CVE-2026-4800 HIGH

npm-lodash >= 4.0.0, <= 4.17.23 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-4800 HIGH remediate by: 2026-05-10T06:21:04.459Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/67

Related URLs

• GHSA-r5fr-rjxr-66jc
• https://nvd.nist.gov/vuln/detail/CVE-2026-4800
• lodash/lodash@3469357
• https://cna.openjsf.org/security-advisories.html
• GHSA-35jh-r3h4-6jhm
• GHSA-r5fr-rjxr-66jc

FIXED npm-handlebars >= 4.0.0, < 4.7.9 CVE-2026-33916 MEDIUM

npm-handlebars >= 4.0.0, < 4.7.9 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33916 MEDIUM remediate by: 2026-05-26T06:15:32.686Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/54

Related URLs

• GHSA-2qvq-rjwj-gvw9
• https://nvd.nist.gov/vuln/detail/CVE-2021-23369
• https://nvd.nist.gov/vuln/detail/CVE-2021-23383
• handlebars-lang/handlebars.js@68d8df5
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33916
• GHSA-2qvq-rjwj-gvw9

FIXED npm-brace-expansion >= 4.0.0, < 5.0.5 CVE-2026-33750 MEDIUM

npm-brace-expansion >= 4.0.0, < 5.0.5 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33750 MEDIUM remediate by: 2026-05-26T22:19:28.497Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/55

Related URLs

• GHSA-f886-m6hf-6m8v
• https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
• https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
• Update affected versions for GHSA-f886-m6hf-6m8v (Patches backported to v1, v2, v3) juliangruber/brace-expansion#98
• Backport fix for GHSA-f886-m6hf-6m8v to v1 juliangruber/brace-expansion#95
• Backport fix for GHSA-f886-m6hf-6m8v to v2 juliangruber/brace-expansion#96
• Backport fix for GHSA-f886-m6hf-6m8v to v3 juliangruber/brace-expansion#97
• juliangruber/brace-expansion@311ac0d
• juliangruber/brace-expansion@7fd684f
• juliangruber/brace-expansion@b9cacd9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33750
• GHSA-f886-m6hf-6m8v

FIXED npm-serialize-javascript < 7.0.5 CVE-2026-34043 MEDIUM

npm-serialize-javascript < 7.0.5 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-34043 MEDIUM remediate by: 2026-05-28T14:18:26.573Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/61

Related URLs

• GHSA-qj8w-gfj5-8c6v
• yahoo/serialize-javascript@f147e90
• https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
• https://nvd.nist.gov/vuln/detail/CVE-2026-34043
• GHSA-qj8w-gfj5-8c6v

FIXED npm-brace-expansion >= 2.0.0, < 2.0.3 CVE-2026-33750 MEDIUM

npm-brace-expansion >= 2.0.0, < 2.0.3 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-33750 MEDIUM remediate by: 2026-05-28T22:22:39.992Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/62

Related URLs

• GHSA-f886-m6hf-6m8v
• https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
• https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
• Update affected versions for GHSA-f886-m6hf-6m8v (Patches backported to v1, v2, v3) juliangruber/brace-expansion#98
• Backport fix for GHSA-f886-m6hf-6m8v to v1 juliangruber/brace-expansion#95
• Backport fix for GHSA-f886-m6hf-6m8v to v2 juliangruber/brace-expansion#96
• Backport fix for GHSA-f886-m6hf-6m8v to v3 juliangruber/brace-expansion#97
• juliangruber/brace-expansion@311ac0d
• juliangruber/brace-expansion@7fd684f
• juliangruber/brace-expansion@b9cacd9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33750
• GHSA-f886-m6hf-6m8v

FIXED npm-handlebars >= 4.6.0, <= 4.7.8 GHSA-7rx3-28cr-v5wh MEDIUM

npm-handlebars >= 4.6.0, <= 4.7.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning GHSA-7rx3-28cr-v5wh MEDIUM remediate by: 2026-05-28T22:22:39.992Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/64

Related URLs

• GHSA-7rx3-28cr-v5wh
• GHSA-765h-qjxv-5f44
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• GHSA-7rx3-28cr-v5wh

FIXED npm-lodash-es <= 4.17.23 CVE-2026-2950 MEDIUM

npm-lodash-es <= 4.17.23 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-2950 MEDIUM remediate by: 2026-06-01T14:38:24.736Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/65

Related URLs

• GHSA-f23m-r3pf-42rh
• GHSA-xxjr-mmjv-4gpg
• https://nvd.nist.gov/vuln/detail/CVE-2026-2950
• GHSA-f23m-r3pf-42rh

FIXED npm-lodash <= 4.17.23 CVE-2026-2950 MEDIUM

npm-lodash <= 4.17.23 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-2950 MEDIUM remediate by: 2026-06-09T14:23:14.879Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/68

Related URLs

• GHSA-f23m-r3pf-42rh
• GHSA-xxjr-mmjv-4gpg
• https://nvd.nist.gov/vuln/detail/CVE-2026-2950
• GHSA-f23m-r3pf-42rh

[commercelayer-ci]

No vulnerability is detected anymore.