[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-2950, CVE-2026-33750, CVE-2026-33916 and others, fix before 2026-04-26

> [!IMPORTANT]
> CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE THE DEADLINE IN THE TITLE.
>
> DO NOT MANUALLY MODIFY THE ISSUE TITLE OR TEXT BODY.

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33937</ins> CRITICAL</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33937</ins> **CRITICAL** remediate by: 2026-04-26T22:19:27.887Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/64

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33937
> - https://github.com/advisories/GHSA-2w6w-674q-4c4q
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33941</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33941</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/68

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33941
> - https://github.com/advisories/GHSA-xjpj-3mr7-gcpf
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33938</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33938</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/65

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33938
> - https://github.com/advisories/GHSA-3mfm-83xf-c92r
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33940</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33940</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/67

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33940
> - https://github.com/advisories/GHSA-xhpv-hc6g-r9c6
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>CVE-2026-33939</ins> HIGH</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33939</ins> **HIGH** remediate by: 2026-04-26T22:19:28.149Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/66

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33939
> - https://github.com/advisories/GHSA-9cx6-37pm-9jff
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, <= 4.7.8</code> <ins>GHSA-442j-39wm-28r2</ins> LOW</summary>

`npm-handlebars >= 4.0.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>GHSA-442j-39wm-28r2</ins> **LOW** remediate by: 2026-06-27T22:22:40.282Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/72

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://github.com/advisories/GHSA-442j-39wm-28r2
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash-es >= 4.0.0, <= 4.17.23</code> <ins>CVE-2026-4800</ins> HIGH</summary>

`npm-lodash-es >= 4.0.0, <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-4800</ins> **HIGH** remediate by: 2026-05-02T14:38:24.409Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/73

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4800
> - https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
> - https://cna.openjsf.org/security-advisories.html
> - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
> - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash >= 4.0.0, <= 4.17.23</code> <ins>CVE-2026-4800</ins> HIGH</summary>

`npm-lodash >= 4.0.0, <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-4800</ins> **HIGH** remediate by: 2026-05-10T06:21:04.459Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/75

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
> - https://nvd.nist.gov/vuln/detail/CVE-2026-4800
> - https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
> - https://cna.openjsf.org/security-advisories.html
> - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
> - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.0.0, < 4.7.9</code> <ins>CVE-2026-33916</ins> MEDIUM</summary>

`npm-handlebars >= 4.0.0, < 4.7.9` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33916</ins> **MEDIUM** remediate by: 2026-05-26T06:15:32.686Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/62

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
> - https://nvd.nist.gov/vuln/detail/CVE-2021-23369
> - https://nvd.nist.gov/vuln/detail/CVE-2021-23383
> - https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33916
> - https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
> 
> </details>

</details>

<details><summary>FIXED <code>npm-brace-expansion >= 4.0.0, < 5.0.5</code> <ins>CVE-2026-33750</ins> MEDIUM</summary>

`npm-brace-expansion >= 4.0.0, < 5.0.5` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33750</ins> **MEDIUM** remediate by: 2026-05-26T22:19:28.497Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/63

> <details><summary>Related URLs</summary>
> 
> - https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
> - https://github.com/juliangruber/brace-expansion/issues/98
> - https://github.com/juliangruber/brace-expansion/pull/95
> - https://github.com/juliangruber/brace-expansion/pull/96
> - https://github.com/juliangruber/brace-expansion/pull/97
> - https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
> - https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
> - https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33750
> - https://github.com/advisories/GHSA-f886-m6hf-6m8v
> 
> </details>

</details>

<details><summary>FIXED <code>npm-serialize-javascript < 7.0.5</code> <ins>CVE-2026-34043</ins> MEDIUM</summary>

`npm-serialize-javascript < 7.0.5` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-34043</ins> **MEDIUM** remediate by: 2026-05-28T14:18:26.573Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/69

> <details><summary>Related URLs</summary>
> 
> - https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
> - https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
> - https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
> - https://nvd.nist.gov/vuln/detail/CVE-2026-34043
> - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
> 
> </details>

</details>

<details><summary>FIXED <code>npm-brace-expansion >= 2.0.0, < 2.0.3</code> <ins>CVE-2026-33750</ins> MEDIUM</summary>

`npm-brace-expansion >= 2.0.0, < 2.0.3` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-33750</ins> **MEDIUM** remediate by: 2026-05-28T22:22:39.992Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/70

> <details><summary>Related URLs</summary>
> 
> - https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
> - https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
> - https://github.com/juliangruber/brace-expansion/issues/98
> - https://github.com/juliangruber/brace-expansion/pull/95
> - https://github.com/juliangruber/brace-expansion/pull/96
> - https://github.com/juliangruber/brace-expansion/pull/97
> - https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
> - https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
> - https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
> - https://nvd.nist.gov/vuln/detail/CVE-2026-33750
> - https://github.com/advisories/GHSA-f886-m6hf-6m8v
> 
> </details>

</details>

<details><summary>FIXED <code>npm-handlebars >= 4.6.0, <= 4.7.8</code> <ins>GHSA-7rx3-28cr-v5wh</ins> MEDIUM</summary>

`npm-handlebars >= 4.6.0, <= 4.7.8` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>GHSA-7rx3-28cr-v5wh</ins> **MEDIUM** remediate by: 2026-05-28T22:22:39.992Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/71

> <details><summary>Related URLs</summary>
> 
> - https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh
> - https://github.com/advisories/GHSA-765h-qjxv-5f44
> - https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
> - https://github.com/advisories/GHSA-7rx3-28cr-v5wh
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash-es <= 4.17.23</code> <ins>CVE-2026-2950</ins> MEDIUM</summary>

`npm-lodash-es <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-2950</ins> **MEDIUM** remediate by: 2026-06-01T14:38:24.736Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/74

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
> - https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
> - https://nvd.nist.gov/vuln/detail/CVE-2026-2950
> - https://github.com/advisories/GHSA-f23m-r3pf-42rh
> 
> </details>

</details>

<details><summary>FIXED <code>npm-lodash <= 4.17.23</code> <ins>CVE-2026-2950</ins> MEDIUM</summary>

`npm-lodash <= 4.17.23` CODE_REPOSITORY/commercelayer-cli-plugin-resources <ins>CVE-2026-2950</ins> **MEDIUM** remediate by: 2026-06-09T14:23:14.879Z
- https://github.com/commercelayer/commercelayer-cli-plugin-resources/security/dependabot/76

> <details><summary>Related URLs</summary>
> 
> - https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
> - https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
> - https://nvd.nist.gov/vuln/detail/CVE-2026-2950
> - https://github.com/advisories/GHSA-f23m-r3pf-42rh
> 
> </details>

</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-2950, CVE-2026-33750, CVE-2026-33916 and others, fix before 2026-04-26 #124

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[VANTA] [VULNERABILITY] <CRITICAL> CVE-2026-2950, CVE-2026-33750, CVE-2026-33916 and others, fix before 2026-04-26 #124

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions