ghsa

All versions of package git-archive are vulnerable to Command Injection via the exports function.

A command injection vulnerability affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js

A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is [deprecated](https://github.com/ianwalter/merge/blob/master/README.md) and the maintainer suggests using [@generates/merger](https://github.com/generates/generates/tree/main/packages/merger) instead.

The package ntesseract before 0.2.9 is vulnerable to Command Injection via lib/tesseract.js.

A command injection vulnerability affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).

Microweber prior to 1.2.21 is vulnerable to reflected cross-site scripting (XSS).