[VANTA] [VULNERABILITY] <HIGH> CVE-2026-26996, fix before 2026-03-27

[commercelayer-ci]

Important

CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE THE DEADLINE IN THE TITLE.

DO NOT MANUALLY MODIFY THE ISSUE TITLE OR TEXT BODY.

^{npm-fast-xml-parser >= 5.0.9, <= 5.3.3 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-25128 HIGH remediate by: 2026-03-13T22:15:20.604Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/39

Related URLs

• GHSA-37qj-frw5-hhjh
• https://nvd.nist.gov/vuln/detail/CVE-2026-25128
• NaturalIntelligence/fast-xml-parser@4e387f6
• https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4
• GHSA-37qj-frw5-hhjh

^{npm-lodash-es >= 4.0.0, <= 4.17.22 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2025-13465 MEDIUM remediate by: 2026-03-23T06:15:19.249Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/35

Related URLs

• GHSA-xxjr-mmjv-4gpg
• https://nvd.nist.gov/vuln/detail/CVE-2025-13465
• lodash/lodash@edadd45
• GHSA-xxjr-mmjv-4gpg

^{npm-lodash >= 4.0.0, <= 4.17.22 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2025-13465 MEDIUM remediate by: 2026-03-23T06:15:19.249Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/36

Related URLs

• GHSA-xxjr-mmjv-4gpg
• https://nvd.nist.gov/vuln/detail/CVE-2025-13465
• lodash/lodash@edadd45
• GHSA-xxjr-mmjv-4gpg

^{npm-undici < 6.23.0 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-22036 MEDIUM remediate by: 2026-03-23T23:28:22.790Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/33

Related URLs

• GHSA-g9mf-h72j-4rw9
• nodejs/undici@b04e3cb
• https://nvd.nist.gov/vuln/detail/CVE-2026-22036
• GHSA-g9mf-h72j-4rw9

^{npm-undici >= 7.0.0, < 7.18.2 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-22036 MEDIUM remediate by: 2026-03-23T23:28:22.790Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/31

Related URLs

• GHSA-g9mf-h72j-4rw9
• nodejs/undici@b04e3cb
• https://nvd.nist.gov/vuln/detail/CVE-2026-22036
• GHSA-g9mf-h72j-4rw9

^{npm-minimatch >= 5.0.0, < 5.1.7 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-26996 HIGH remediate by: 2026-03-27T08:50:05.811Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/45

Related URLs

• GHSA-3ppc-4f35-3m26
• isaacs/minimatch@2e111f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-26996
• GHSA-3ppc-4f35-3m26

^{npm-minimatch < 3.1.3 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-26996 HIGH remediate by: 2026-03-27T08:50:05.811Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/46

Related URLs

• GHSA-3ppc-4f35-3m26
• isaacs/minimatch@2e111f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-26996
• GHSA-3ppc-4f35-3m26

FIXED npm-minimatch >= 9.0.0, < 9.0.6 CVE-2026-26996 HIGH

npm-minimatch >= 9.0.0, < 9.0.6 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-26996 HIGH remediate by: 2026-03-27T08:50:05.811Z

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/47

Related URLs

• GHSA-3ppc-4f35-3m26
• isaacs/minimatch@2e111f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-26996
• GHSA-3ppc-4f35-3m26

^{npm-minimatch >= 5.0.0, < 5.1.8 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-27904 HIGH remediate by: 2026-03-30T06:15:08.603Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/48

Related URLs

• GHSA-23c5-xmqv-rm74
• https://nvd.nist.gov/vuln/detail/CVE-2026-27904
• isaacs/minimatch@11d0df6
• GHSA-23c5-xmqv-rm74

^{npm-minimatch >= 5.0.0, < 5.1.8 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-27903 HIGH remediate by: 2026-03-30T06:15:08.603Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/49

Related URLs

• GHSA-7r86-cg39-jmmj
• https://nvd.nist.gov/vuln/detail/CVE-2026-27903
• isaacs/minimatch@0bf499a
• GHSA-7r86-cg39-jmmj

^{npm-diff >= 5.0.0, < 5.2.2 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2026-24001 LOW remediate by: 2026-04-21T22:15:39.536Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/34

Related URLs

• GHSA-73rr-hh4g-fpgx
• Fix the second denial-of-service vulnerability in parsePatch kpdecker/jsdiff#649
• kpdecker/jsdiff@15a1585
• Backport GHSA-73rr-hh4g-fpgx fix to v4 kpdecker/jsdiff#653
• https://nvd.nist.gov/vuln/detail/CVE-2026-24001
• GHSA-73rr-hh4g-fpgx

^{npm-ajv < 6.14.0 CODE_REPOSITORY/commercelayer-cli-plugin-microstore CVE-2025-69873 MEDIUM remediate by: 2026-04-23T06:15:03.493Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-microstore/security/dependabot/44

Related URLs

• https://nvd.nist.gov/vuln/detail/CVE-2025-69873
• https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) ajv-validator/ajv#2586
• ajv-validator/ajv@720a23f
• https://github.com/ajv-validator/ajv/releases/tag/v8.18.0
• fix(security): backport CVE-2025-69873 - wrap $data pattern in try/catch ajv-validator/ajv#2588
• https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
• GHSA-2g4f-4pwh-qvx6

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-microstore

All the listed vulnerabilities are still detected.
Please resolve within 19 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-microstore

All the listed vulnerabilities are still detected.
Please resolve within 13 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-microstore

All the listed vulnerabilities are still detected.
Please resolve within 7 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-microstore

All the listed vulnerabilities are still detected.
Please resolve within 6 days.