> ## Documentation Index
> Fetch the complete documentation index at: https://semgrep-ee9d73d8-mintlify-b75b9a88.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Semgrep trophy case

> This is a list of vulnerabilities found and security fixes made with Semgrep.

Add yours [with a pull request](https://github.com/semgrep/semgrep-docs/blob/main/trophy-case.md)!

| CVEs                                                              |                                                                                                                                                                  |                          |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| :---------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CVE**                                                           | **Semgrep rule**                                                                                                                                                 | **Affected software**    | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                              |
| [CVE-2025-59034](https://nvd.nist.gov/vuln/detail/CVE-2025-59034) |                                                                                                                                                                  | Indico v3.3.7            | Insecure direct object reference used to retrieve profile details of other users, circumventing access check.                                                                                                                                                                                                                                                                                                                                |
| [CVE-2025-29783](https://nvd.nist.gov/vuln/detail/CVE-2025-29783) | [python.lang.security.deserialization.pickle.avoid-pickle](https://semgrep.dev/r?q=python.lang.security.deserialization.pickle.avoid-pickle)                     | vLLM v0.8.2              | Unsafe deserialization allowed execution of remote code on distributed hosts using Mooncake.                                                                                                                                                                                                                                                                                                                                                 |
| [CVE-2019-5479](https://nvd.nist.gov/vuln/detail/CVE-2019-5479)   | [javascript.lang.security.detect-non-literal-require](https://semgrep.dev/r?q=javascript.lang.security.detect-non-literal-require)                               | larbitbase-api \< v0.5.5 | An unintended require vulnerability in \<v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).                                                                                                                                                                                                                                                                                                |
| [CVE-2020-8128](https://nvd.nist.gov/vuln/detail/CVE-2020-8128)   | [javascript.lang.security.detect-non-literal-require](https://semgrep.dev/r?q=javascript.lang.security.detect-non-literal-require)                               | jsreport \< 2.5.0        | An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.                                                                                                                                                                                                                                                                                       |
| [CVE-2020-8129](https://nvd.nist.gov/vuln/detail/CVE-2020-8129)   | [javascript.lang.security.detect-non-literal-require](https://semgrep.dev/r?q=javascript.lang.security.detect-non-literal-require)                               | script-manager \< 0.8.6  | An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.                                                                                                                                                                                                                                                                                                   |
| [CVE-2020-7739](https://nvd.nist.gov/vuln/detail/CVE-2020-7739)   | [javascript.phantom.security.audit.phantom-injection](https://semgrep.dev/r?q=javascript.phantom.security.audit.phantom-injection)                               | phantomjs-seo            | This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a URL that will be passed to a PhantomJS instance allowing for an SSRF attack.                                                                                                                                                                                                                                                                   |
| [CVE-2020-7740](https://nvd.nist.gov/vuln/detail/CVE-2020-7740)   | [javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection](https://semgrep.dev/r?q=javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection)               | node-pdf-generator       | This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a URL that will be passed to an external server allowing an SSRF attack.                                                                                                                                                             |
| [CVE-2020-7749](https://nvd.nist.gov/vuln/detail/CVE-2020-7749)   | [javascript.puppeteer.security.audit.puppeteer-setcontent-injection](https://semgrep.dev/r?q=javascript.puppeteer.security.audit.puppeteer-setcontent-injection) | osm-static-maps          | This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping (`{{{ ... }}}`). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read. |

| Open Source Contributions                                                                                                                                             |                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| :-------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Affected software**                                                                                                                                                 | **Semgrep rule**                                                                                                                                     | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| [Open EdX](https://github.com/edx/edx-platform/commit/3f1220276d72cada2d4aa5f812768a3dff6e711a#diff-4e1bff4f8c5f8ff3ffb5aad2c61aa9433876ba2462c62f22488f2382457a84ae) | [python.requests.security.disabled-cert-validation](https://semgrep.dev/r?q=python.requests.security.disabled-cert-validation)                       | SSL certification is disabled in order to accept self-signed certificates.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| [RPyC](https://github.com/tomerfiliba-org/rpyc/pull/376)                                                                                                              | [python.lang.correctness.common-mistakes.default-mutable-dict](https://semgrep.dev/r?q=python.lang.correctness.common-mistakes.default-mutable-dict) | In python, the default values of function parameters are instantiated at function definition time. All calls to that function that use the default value all point to the same global object. Because of this, two instances of Server (initialized without passing in a protocol\_config option) actually share the same protocol\_config. So modifying one server's config affects the other ones.                                                                                                                                                                                                                                                             |
| [CMake](https://gitlab.kitware.com/cmake/cmake/-/merge_requests/4432)                                                                                                 | [python.lang.correctness.common-mistakes.default-mutable-dict](https://semgrep.dev/r?q=python.lang.correctness.common-mistakes.default-mutable-dict) | `ConvertMSBuildXMLToJSON`: Fix python mutable default data structure                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| [lte-template-flask](https://github.com/ucfopen/lti-template-flask/pull/13)                                                                                           | [python.flask.security.unescaped-template-extension](https://semgrep.dev/r?q=python.flask.security.unescaped-template-extension)                     | Passing the host parameter to your jinja template in `views.py:63`. `lis_person_name_full` comes from `request.form.get('lis_person_name_full')`. This line may be susceptible to XSS attacks. I went ahead and html-escaped the `lis_person_name_full` variable in `launch.htm.j2` file using the `{{ value\|e }}` pattern in Jinja. ([https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping](https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping)). Note that if your template file extensions ended with `.html`, `.htm`, `.xml`, or `.xhtml`, they would have been automatically html escaped. |
| [netskrafl.is](https://github.com/mideind/Netskrafl/pull/76)                                                                                                          | [python.flask.security.xss.audit.template-unescaped-with-safe](https://semgrep.dev/r?q=python.flask.security.xss.audit.template-unescaped-with-safe) | The `\| safe` filter from `from_url` in the `userprefs.html` template causes XSS.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| [pdfcpu](https://github.com/pdfcpu/pdfcpu/pull/200)                                                                                                                   | [go.lang.correctness.useless-eqeq.eqeq-is-bad](https://semgrep.dev/r?q=go.lang.correctness.useless-eqeq.eqeq-is-bad)                                 | It looks like this test case in `pkg/pdfcpu/image_test.go` was intending to compare `bb1` with `bb2`, but it was comparing `bb1` twice.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
