CVE Daily
← All tags

Tag: ESLint

All CVEs associated with "ESLint". Page 1/1 • 12 CVEs.

About “ESLint”

A curated feed of “ESLint”-related CVEs appears below. We currently track 12 CVEs for this tag (all time). In the last 365 days, 4 were published. Average CVSS is 7.7 (all time; 7.6 over 365d), and 75% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-407 - Inefficient Algorithmic Complexity, CWE-674 - Uncontrolled Recursion, CWE-260 - Password in Configuration File.

In our taxonomy this topic maps to a LOW impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: eslint

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
1010.4.1Unavailable-
99.39.4Unavailable Soon
88.57.1 Expired
77.32.0 Expired
66.8.0 Expired
55.16.0 Expired
44.19.1 Expired
33.19.0 Expired
22.13.1 Expired
11.10.3 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “ESLint”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-02-26
High

CVE-2026-27903

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` perf…

CVSS: 7.5 CWE: CWE-407 - Inefficient Algorithmic Complexity View on NVD
2026-01-26
Medium

CVE-2025-50537

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method,…

CVSS: 5.5 CWE: CWE-674 - Uncontrolled Recursion View on NVD
2025-08-21
Critical

CVE-2025-57754

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will al…

CVSS: 9.8 CWE: CWE-260 - Password in Configuration File View on NVD
2025-07-19
High

CVE-2025-54313

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-g…

CVSS: 7.5 CWE: CWE-506 - Embedded Malicious Code View on NVD
2024-11-19
High

CVE-2024-21539

Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and c…

CVSS: 7.5 CWE: CWE-1333 - Inefficient Regular Expression Complexity View on NVD
2023-04-20
Low

CVE-2022-4942

A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function renderIssue in the library lib/template-generator.js.…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-04-06
Medium

CVE-2021-21423

`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typ…

CVSS: 6.8 CWE: CWE-527 - Exposure of Version-Control Repository to an Unauthorized Control Sphere View on NVD
2021-03-19
Critical

CVE-2021-26275

The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported b…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2021-03-11
High

CVE-2021-27081

Visual Studio Code ESLint Extension Remote Code Execution Vulnerability

CVSS: 7.8 CWE: N/A View on NVD
2021-01-26
High

CVE-2021-21278

RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Func…

CVSS: 8.6 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2020-07-14
High

CVE-2020-1481

A remote code execution vulnerability exists in the ESLint extension for Visual Studio Code when it validates source code after opening a project, aka 'Visual Studio Code ESLint Extention Remote Code…

CVSS: 8.8 CWE: N/A View on NVD
2019-08-26
Critical

CVE-2019-15657

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

CVSS: 9.8 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox