VYPR
Vendor

Shopify

Products
10
CVEs
12
Across products
14
Status
Private

Products

10

Recent CVEs

12
  • CVE-2026-34060CriMar 31, 2026
    risk 0.57cvss 9.8epss 0.00

    Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code…

  • CVE-2026-39862HigApr 8, 2026
    risk 0.50cvss 8.8epss 0.01

    Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an…

  • CVE-2026-42342HigJun 2, 2026
    risk 0.49cvss 7.5epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint,…

  • CVE-2026-42211HigJun 2, 2026
    risk 0.46cvss 8.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing…

  • CVE-2025-53623HigJul 14, 2025
    risk 0.46cvss epss 0.01

    The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary…

  • CVE-2026-22029HigJan 10, 2026
    risk 0.45cvss 8.0epss 0.01

    React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can…

  • CVE-2026-34077HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted…

  • CVE-2025-48069MedMay 21, 2025
    risk 0.36cvss 6.6epss 0.01

    ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment…

  • CVE-2026-40181MedJun 2, 2026
    risk 0.33cvss 6.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The…

  • CVE-2025-30221MedMar 27, 2025
    risk 0.21cvss 4.3epss 0.00

    Pitchfork is a preforking HTTP server for Rack applications. Versions prior to 0.11.0 are vulnerable to HTTP Response Header Injection when used in conjunction with Rack 3. The issue was fixed in Pitchfork release 0.11.0. No known workarounds are available.

  • CVE-2024-45036MedAug 26, 2024
    risk 0.21cvss 4.3epss 0.00

    Tophat is a mobile applications testing harness. An Improper Access Control vulnerability can expose the `TOPHAT_APP_TOKEN` token stored in `~/.tophatrc` through use of a malicious Tophat URL controlled by the attacker. The vulnerability allows Tophat to send this token to the…

  • CVE-2022-29230May 18, 2022
    risk 0.00cvss epss 0.01

    Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of…