npm package
yapi-vendor
pkg:npm/yapi-vendor
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-70058 | — | <= 1.12.0 | — | Feb 23, 2026 | An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests | ||
| CVE-2021-36686 | — | <= 1.9.1 | — | Jan 26, 2023 | Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page. | ||
| CVE-2021-27884 | — | < 1.9.3 | 1.9.3 | Mar 1, 2021 | Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used. | ||
| CVE-2018-17574 | — | < 1.3.23 | 1.3.23 | Sep 28, 2018 | An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project. |
- CVE-2025-70058Feb 23, 2026affected <= 1.12.0
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests
- CVE-2021-36686Jan 26, 2023affected <= 1.9.1
Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page.
- CVE-2021-27884Mar 1, 2021affected < 1.9.3fixed 1.9.3
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.
- CVE-2018-17574Sep 28, 2018affected < 1.3.23fixed 1.3.23
An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project.