GCVE - cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*

part: a version: * update: *

Vendor	Totaljs (`c2c15978-184c-5682-8600-bc2601bf8f6a`)
Product	Total.Js (`0e4ab704-0baa-5f02-acde-2ae0b0f53c67`)
Edition	*
Language	*
Software edition	*
Target software	node.js
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-11019`	vulnerable	2026-06-08 07:02:27.935297	Total.js CMS Files Menu cross site scripting LOW (2.4) A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Published: 2025-09-26T14:32:07.098Z Updated: 2025-09-26T15:01:48.580Z Open on db.gcve.eu Reference links https://vuldb.com/?id.325962 https://vuldb.com/?ctiid.325962 https://vuldb.com/?submit.651427	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-44019`	vulnerable	2026-06-08 05:49:35.245352	Details available In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. Published: 2022-10-29T00:00:00.000Z Updated: 2025-05-07T13:58:14.770Z Open on db.gcve.eu Reference links https://github.com/totaljs/code/issues/12 https://www.youtube.com/watch?v=x-u3eS8-xJg https://www.edoardoottavianelli.it/CVE-2022-44019/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-32831`	vulnerable	2026-06-08 05:32:08.130599	Code injection in total.js HIGH (7.5) Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9. Published: 2021-08-30T20:40:21.000Z Updated: 2024-08-03T23:33:56.088Z Open on db.gcve.eu Reference links https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3 https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/ https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11 https://www.npmjs.com/package/total.js	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-23389`	vulnerable	2026-06-08 05:30:02.841170	Arbitrary Code Execution CRITICAL (9.8) The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. Published: 2021-07-12T15:15:18.459Z Updated: 2024-09-16T18:33:56.688Z Open on db.gcve.eu Reference links https://snyk.io/vuln/SNYK-JS-TOTALJS-1088607 https://github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631 https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-23344`	vulnerable	2026-06-08 05:30:02.744210	Remote Code Execution (RCE) CRITICAL (9.8) The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set. Published: 2021-03-04T16:55:14.189Z Updated: 2024-09-17T01:55:53.280Z Open on db.gcve.eu Reference links https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069 https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28495`	vulnerable	2026-06-08 05:23:56.174215	Prototype Pollution HIGH (7.3) This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection. Published: 2021-02-02T10:25:17.752Z Updated: 2024-09-16T22:40:43.106Z Open on db.gcve.eu Reference links https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671 https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set https://github.com/totaljs/framework/blob/master/utils.js%23L6606 https://github.com/totaljs/framework/blob/master/utils.js%23L6617 https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28494`	vulnerable	2026-06-08 05:23:56.173436	Command Injection HIGH (8.6) This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized. Published: 2021-02-02T10:25:22.372Z Updated: 2024-09-16T16:33:03.828Z Open on db.gcve.eu Reference links https://snyk.io/vuln/SNYK-JS-TOTALJS-1046672 https://github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-8903`	vulnerable	2026-06-08 05:14:24.648022	Details available index.js in Total.js Platform before 3.2.3 allows path traversal. Published: 2019-02-18T16:00:00.000Z Updated: 2024-08-04T21:31:37.520Z Open on db.gcve.eu Reference links https://github.com/totaljs/framework/commit/c37cafbf3e379a98db71c1125533d1e8d5b5aef7 https://github.com/totaljs/framework/commit/de16238d13848149f5d1dae51f54e397a525932b https://blog.certimetergroup.com/it/articolo/security/total.js-directory-traversal-cve-2019-8903	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.