EPSS
Percentile
73.4%
total.js is vulnerable to OS command injection. The type parameter is not properly sanitized and validated, and is used to build the command which is subsequently executed using child_process.spawn.
type
child_process.spawn
github.com/totaljs/framework/commit/6192491ab2631e7c1d317c221f18ea613e2c18a5