Severity: moderate

Cross-Site Scripting



Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution.


Upgrade to version 3.12.0 or later.

Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    May 27th, 2019
  2. reported

    Reported by Adam Baldwin
    May 1st, 2019