[VANTA] [VULNERABILITY] <HIGH> CVE-2026-24842, CVE-2026-23950, CVE-2025-13465 and others, fix before 2026-02-15

> [!IMPORTANT]
> DO NOT MODIFY THE TEXT BELOW AND CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE 2026-02-15.

`npm-tar <= 7.5.2` CODE_REPOSITORY/commercelayer-react-components <ins>CVE-2026-23745</ins> **HIGH** remediate by: 2026-02-16T06:15:39.198Z
- https://github.com/commercelayer/commercelayer-react-components/security/dependabot/125

  - https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
  - https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
  - https://github.com/advisories/GHSA-8qq5-rm4j-mr97

`npm-tar <= 7.5.3` CODE_REPOSITORY/commercelayer-react-components <ins>CVE-2026-23950</ins> **HIGH** remediate by: 2026-02-20T06:15:54.560Z
- https://github.com/commercelayer/commercelayer-react-components/security/dependabot/127

  - https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
  - https://nvd.nist.gov/vuln/detail/CVE-2026-23950
  - https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
  - https://github.com/advisories/GHSA-r6q2-hw4h-h46w

`npm-tar < 7.5.7` CODE_REPOSITORY/commercelayer-react-components <ins>CVE-2026-24842</ins> **HIGH** remediate by: 2026-02-27T22:15:53.692Z
- https://github.com/commercelayer/commercelayer-react-components/security/dependabot/129

  - https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
  - https://nvd.nist.gov/vuln/detail/CVE-2026-24842
  - https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
  - https://github.com/advisories/GHSA-34x7-hfp2-rc4v

`npm-lodash >= 4.0.0, <= 4.17.22` CODE_REPOSITORY/commercelayer-react-components <ins>CVE-2025-13465</ins> **MEDIUM** remediate by: 2026-03-23T06:15:19.249Z
- https://github.com/commercelayer/commercelayer-react-components/security/dependabot/128

  - https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
  - https://nvd.nist.gov/vuln/detail/CVE-2025-13465
  - https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
  - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg

`npm-diff >= 5.0.0, < 5.2.2` CODE_REPOSITORY/commercelayer-react-components <ins>CVE-2026-24001</ins> **LOW** remediate by: 2026-04-21T22:15:39.536Z
- https://github.com/commercelayer/commercelayer-react-components/security/dependabot/126

  - https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx
  - https://github.com/kpdecker/jsdiff/pull/649
  - https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5
  - https://github.com/kpdecker/jsdiff/issues/653
  - https://nvd.nist.gov/vuln/detail/CVE-2026-24001
  - https://github.com/advisories/GHSA-73rr-hh4g-fpgx



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[VANTA] [VULNERABILITY] <HIGH> CVE-2026-24842, CVE-2026-23950, CVE-2025-13465 and others, fix before 2026-02-15 #704

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[VANTA] [VULNERABILITY] <HIGH> CVE-2026-24842, CVE-2026-23950, CVE-2025-13465 and others, fix before 2026-02-15 #704

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions