Severity: moderate

    Cross-Site Scripting



    Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution.


    Upgrade to version 3.12.0 or later.

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      May 27th, 2019
    2. reported

      Reported by Adam Baldwin
      May 1st, 2019