| tiêu đề | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Tailwind Config Generator Code Injection Leading to RCE |
|---|
| Mô tả | The _format_plugins() method at line 238 of tailwind_config_gen.py constructs JavaScript require() statements by directly interpolating plugin names into a string template without any sanitization or escaping of single quotes. An attacker-controlled plugin name containing a single quote can break out of the require() call and inject arbitrary JavaScript code. When the generated tailwind.config.js file is subsequently loaded by Node.js (via require(), Tailwind CLI, or any build tool), the injected code executes with full system privileges.
|
|---|
| Nguồn | ⚠️ https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246 |
|---|
| Người dùng | Yu-Bao (UID 96702) |
|---|
| Đệ trình | 15/04/2026 04:51 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 01/05/2026 11:49 (16 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360548 [nextlevelbuilder ui-ux-pro-max-skill đến 2.5.0 Tailwind Config Generator tailwind_config_gen.py _format_plugins nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|