style(ui): portlet search boxes, import dialogs and content compare fixes

[hmoreras]

What does this PR do?

Addresses several UI inconsistencies across recently migrated portlets.

Changes

• Search boxes (categories, tags, locales, plugins): Enforced consistent w-80 (320px) width on all search inputs; simplified placeholder text to Search across all four portlets
• Tags import dialog: Removed redundant ", such as...." text from the instructions copy, ending the sentence with a period
• Categories import dialog: Unified the p-fileupload dropzone template to match the tags/plugins pattern (icon, layout, #content-only approach); added shrink-0 to the icon container to prevent oval distortion when dialog space is constrained; put Import Type radio buttons on the same row (gap-3) to reduce vertical overflow
• Content compare: Fixed the Previous version p-select dropdown not showing a selected value on first load by binding [ngModel]="data.compare" and adding dataKey="inode" for reliable object matching

Closes

Closes #35274

[claude]

Claude finished @hmoreras's task in 2m 38s —— View job

---

PR Review

• Read changed files
• Review diff and analyze changes
• Post findings

---

Three issues worth addressing:

1. Orphaned i18n key (Language.properties)

categories.import.drag-drop is still defined (~line 6751) but the new template never uses it — the dropzone text was split into dropzone.prefix / choose-file / dropzone.suffix. Dead key, should be removed.

2. No way to deselect a file in the categories import dialog (dot-categories-import.component.html)

The old #content template had an explicit remove button:

<p-button icon="pi pi-times" ... (onClick)="onFileClear()" ... />

The new template drops it. Once a file is selected, users can replace it (re-click) but cannot return to the empty state — which disables the Import button via [disabled]="!$selectedFile()". If someone accidentally selects the wrong file and wants to abort without dismissing the dialog, there's no escape. The (onClear)="onFileClear()" binding and the onFileClear() TS method still exist but are now unreachable from the UI. Fix this →

3. Clickable dropzone div is not keyboard-accessible (dot-categories-import.component.html, line 37–38)

<div ... (click)="fileUpload.choose()">

This div acts as a button but has no role="button", tabindex="0", or keyboard event handler ((keydown.enter) / (keydown.space)). It's unreachable via Tab key and won't respond to Enter/Space. The tooltip info icon (line 58) also lost its cursor-pointer class from the old template.

---

Everything else is clean. The [ngModel]="data.compare" + dataKey="inode" fix on p-select is correct — one-way binding is appropriate here since changeVersion.emit drives the state update externally. The shrink-0 on the icon circle, the inline radio buttons, and the w-80 search width enforcement are all fine.

[semgrep-code-dotcms-test]

Semgrep found 1 spring-tainted-path-traversal finding:

• dotCMS/src/main/java/com/dotcms/rest/ContentResource.java
  • L1632 - Triage

The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.

View Dataflow Graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>dotCMS/src/main/java/com/dotcms/rest/ContentResource.java</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1424 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1424] multipart</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1424 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1424] multipart</a>"]

            v3["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1428 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1428] multipartPUTandPOST</a>"]

            v4["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1484 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1484] multipart</a>"]

            v5["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1499 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1499] part</a>"]

            v6["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1499 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1499] part</a>"]

            v7["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1581 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1581] processFile</a>"]

            v8["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1613 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1613] part</a>"]

            v9["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1616 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1616] badFileName</a>"]

            v10["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1617 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1617] filename</a>"]
        end
            v2 --> v3
            v3 --> v4
            v4 --> v5
            v5 --> v6
            v6 --> v7
            v7 --> v8
            v8 --> v9
            v9 --> v10
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1632 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1632] tmpFolder.getAbsolutePath() + File.separator + filename</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 1 tainted-file-path finding:

• dotCMS/src/main/java/com/dotcms/rest/ContentResource.java
  • L1631-1632 - Triage

Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.

View Dataflow Graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>dotCMS/src/main/java/com/dotcms/rest/ContentResource.java</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1424 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1424] multipart</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1424 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1424] multipart</a>"]

            v3["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1428 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1428] multipartPUTandPOST</a>"]

            v4["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1484 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1484] multipart</a>"]

            v5["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1499 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1499] part</a>"]

            v6["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1499 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1499] part</a>"]

            v7["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1581 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1581] processFile</a>"]

            v8["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1613 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1613] part</a>"]

            v9["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1616 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1616] badFileName</a>"]

            v10["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1617 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1617] filename</a>"]
        end
            v2 --> v3
            v3 --> v4
            v4 --> v5
            v5 --> v6
            v6 --> v7
            v7 --> v8
            v8 --> v9
            v9 --> v10
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/dotCMS/core/blob/ad334edd1e549f78c1c61c89b1e55957b8f45512/dotCMS/src/main/java/com/dotcms/rest/ContentResource.java#L1631 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 1631] new File(<br>                    tmpFolder.getAbsolutePath() + File.separator + filename)</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

[semgrep-code-dotcms-test]

Semgrep found 2 ssc-6efe528b-deef-ace9-810a-467438938c20 findings:

• core-web/yarn.lock
  • L17765 - Triage
• starter/nextjs/package-lock.json
  • L3428 - Triage

Risk: Affected versions of next are vulnerable to Allocation of Resources Without Limits or Throttling. A specially crafted HTTP request to a Next.js App Router Server Function endpoint can trigger excessive CPU consumption during React Server Components deserialization, leading to denial of service.

Fix: Upgrade this library to at least version 15.5.15 at core/core-web/yarn.lock:17765.

Reference(s): GHSA-q4gf-8mx6-v5v3

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-1289c362-ab31-4c96-bd5e-5e444f4fb067 findings:

• core-web/yarn.lock
  • L22624 - Triage
  • L22638 - Triage

Risk: Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine

Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using --host flag and websocket is not disabled

Fix: Upgrade this library to at least version 7.3.2 at core/core-web/yarn.lock:22638.

Reference(s): GHSA-p9ff-h696-f583, CVE-2026-39363

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-81d0f8fa-e5f9-414f-a539-fa38f9590a35 findings:

• core-web/yarn.lock
  • L22624 - Triage
  • L22638 - Triage

Risk: Affected versions of vite are vulnerable to Improper Access Control / Incorrect Behavior Order. Vite's dev server can bypass server.fs.deny protections: if the server is exposed to the network and a denied file is within an allowed directory, an attacker can retrieve sensitive files such as .env or certificate files by requesting them with query parameters like ?raw, ?import&raw, or ?import&url&inline.

Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using --host flag and have sensitive data in deny list

Fix: Upgrade this library to at least version 7.3.2 at core/core-web/yarn.lock:22638.

Reference(s): GHSA-v2wj-q39q-566r, CVE-2026-39364

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-7655e34f-47d3-43f6-b687-32e02f3c8005 findings:

• dotcms-postman/yarn.lock
  • L303 - Triage
• .github/scripts/gather-release-data/package-lock.json
  • L2169 - Triage

Risk: Affected versions of handlebars are vulnerable to Improper Control of Generation of Code ('Code Injection') / Improper Encoding or Escaping of Output / Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The Handlebars CLI precompiler allows arbitrary JavaScript injection by embedding unescaped template filenames and CLI option values such as --namespace, --commonjs, and --handlebarPath directly into generated output. An attacker who can control these inputs can cause malicious code to execute when the precompiled bundle is loaded in Node.js or a browser.

Manual Review Advice: A vulnerability from this advisory is reachable if you execute templates through the Handlebars CLI precompiler

Fix: Upgrade this library to at least version 4.7.9 at core/dotcms-postman/yarn.lock:303.

Reference(s): GHSA-xjpj-3mr7-gcpf, CVE-2026-33941

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-c1e42c77-a3f9-4dae-adc7-2b52e247269b findings:

• core-web/yarn.lock
  • L548 - Triage
  • L560 - Triage

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's runtime/compiler can be vulnerable to XSS when a security-sensitive attribute (e.g., href, src, action, xlink:href, etc.) is both data-bound and marked for internationalization using i18n-<attribute>, which can bypass Angular's built-in sanitization. If untrusted/user-controlled input is bound into one of these attributes while i18n-* is present (e.g., <a href="{{maliciousUrl}}" i18n-href>), an attacker can inject a javascript:/malicious URL and execute script in the context of the application's origin (cookie/session theft, data exfiltration, and unauthorized actions).

Manual Review Advice: A vulnerability from this advisory is reachable if you enable internationalization for the sensitive attribute by adding i18n- while it receives untrusted data

Fix: Upgrade this library to at least version 21.2.4 at core/core-web/yarn.lock:560.

Reference(s): GHSA-g93w-mfhg-p222, CVE-2026-32635

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 1 ssc-c313d835-7f7c-4f67-a6e2-ac5038d1fb9d finding:

• core-web/yarn.lock
  • L21348 - Triage

Risk: Affected versions of storybook are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') / Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') / Missing Origin Validation in WebSockets. Storybook's dev server WebSocket endpoint does not validate the Origin of incoming connections, enabling WebSocket hijacking. If a developer visits a malicious website while a local Storybook dev server is running (or if the dev server is publicly exposed), an attacker can open an unauthorized WebSocket connection and invoke the "create/save story" handlers to write attacker-controlled content into story files, leading to persistent XSS and potentially remote code execution and supply-chain compromise if the injected changes are committed and propagated.

Manual Review Advice: A vulnerability from this advisory is reachable if you visit a malicious website while your local Storybook dev server is running

Fix: Upgrade this library to at least version 10.2.10 at core/core-web/yarn.lock:21348.

Reference(s): GHSA-mjf5-7g4m-gx5w, CVE-2026-27148

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 1 ssc-6193c409-cebc-449c-8a55-f95fa9d0e4f0 finding:

• core-web/yarn.lock
  • L20379 - Triage

Risk: Affected versions of rollup are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rollup is vulnerable to arbitrary file write via path traversal: chunk/asset names derived from user-controlled inputs (e.g., CLI named inputs, manual chunk aliases, or malicious plugins) are insufficiently sanitized, allowing ../ sequences to survive and be passed into path.resolve when computing output paths. This lets an attacker escape the configured output directory and overwrite arbitrary files on the host filesystem that the build process can write to, potentially leading to persistent RCE by clobbering shell/profile or other executable/config files.

Manual Review Advice: A vulnerability from this advisory is reachable if you are running rollup --input

Fix: Upgrade this library to at least version 4.59.0 at core/core-web/yarn.lock:20379.

Reference(s): GHSA-mw96-cpmx-2vgc, CVE-2026-27606

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-d1b4e9e7-4dae-4218-8bb1-046e9a0b7e60 findings:

• core-web/yarn.lock
  • L17765 - Triage
• starter/nextjs/package-lock.json
  • L3428 - Triage

Risk: Affected versions of next are vulnerable to Deserialization of Untrusted Data / Uncontrolled Resource Consumption. A flaw in React Server Components' deserialization allows an attacker to send a specially crafted HTTP request to any App Router Server Function endpoint in Next.js, triggering excessive CPU usage, out-of-memory conditions, or a server crash and resulting in a denial of service.

Fix: Upgrade this library to at least version 15.0.8 at core/core-web/yarn.lock:17765.

Reference(s): GHSA-h25m-26qc-wcjf, CVE-2026-23864

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-b94a740c-3b13-43fd-9f2d-4d8bb0fe0b69 findings:

• core-web/yarn.lock
  • L17765 - Triage
• starter/nextjs/package-lock.json
  • L3428 - Triage

Risk: Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. An attacker can send a specially crafted HTTP request to any Server Function endpoint (as used by Next.js' App Router) that, when deserialized by the React Server Components runtime, enters an infinite loop—hanging the server process, exhausting CPU, and resulting in a denial-of-service.

Fix: Upgrade this library to at least version 14.2.35 at core/core-web/yarn.lock:17765.

Reference(s): GHSA-5j59-xgg2-r9c4, CVE-2025-67779

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-74b4cbd5-76e9-40fe-adb6-38be9f569d24 findings:

• core-web/yarn.lock
  • L17765 - Triage
• starter/nextjs/package-lock.json
  • L3428 - Triage

Risk: Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. A flaw in Next.js's App Router deserialization allows an attacker to send a specially crafted HTTP request body that, when parsed by the server, triggers excessive CPU work or an infinite loop. By targeting any App Router endpoint with this malicious payload, the server process can hang and become unresponsive, resulting in a denial-of-service.

Fix: Upgrade this library to at least version 14.2.34 at core/core-web/yarn.lock:17765.

Reference(s): GHSA-mwv6-3258-q52c

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-b23ea775-7f2b-4ba0-ba7c-ab6963c325a7 findings:

• e2e/dotcms-e2e-node/frontend/yarn.lock
  • L904 - Triage
• e2e/dotcms-e2e-node/frontend/package-lock.json
  • L1658 - Triage

Risk: Affected versions of playwright are vulnerable to Improper Verification of Cryptographic Signature. The macOS browser reinstall scripts in Playwright use curl -k to fetch installer packages without any SSL certificate validation, allowing a man-in-the-middle attacker to serve a trojaned browser installer that's run with elevated privileges, resulting in full system compromise.

Fix: Upgrade this library to at least version 1.55.1 at core/e2e/dotcms-e2e-node/frontend/yarn.lock:904.

Reference(s): GHSA-7mvr-c777-76hp, CVE-2025-59288

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 1 ssc-cee3e6d5-d7c8-4c35-9815-076aa1ebfd49 finding:

• core-web/yarn.lock
  • L20379 - Triage

Risk: Affected versions of rollup are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Manual Review Advice: A vulnerability from this advisory is reachable if you use Rollup to bundle JavaScript with import.meta.url and the output format is set to cjs, umd, or iife formats, while allowing users to inject scriptless HTML elements with unsanitized name attributes

Fix: Upgrade this library to at least version 4.22.4 at core/core-web/yarn.lock:20379.

Reference(s): GHSA-gcx4-mw62-g8wm, CVE-2024-47068

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-4759c514-b537-20ef-d52f-ebb0a5c388fa findings:

• core-web/yarn.lock
  • L10229 - Triage
  • L10238 - Triage

Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.

Fix: Upgrade this library to at least version 1.15.0 at core/core-web/yarn.lock:10238.

Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 2 ssc-5ea2c631-7cef-a4e0-e641-d179af079827 findings:

• core-web/yarn.lock
  • L10229 - Triage
  • L10238 - Triage

Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.

Manual Review Advice: A vulnerability from this advisory is reachable if you have NO_PROXY configured in your environment

Fix: Upgrade this library to at least version 1.15.0 at core/core-web/yarn.lock:10238.

Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Semgrep found 1 ssc-37ae9e0a-cbf0-4910-8f73-04f2275899a6 finding:

• core-web/yarn.lock
  • L23001 - Triage

Risk: webpack 5.x before 5.76.0 is vulnerable to Improper Access Control due to ImportParserPlugin.js mishandling the magic comment feature. Due to this, webpack does not avoid cross-realm object access and an attacker who controls a property of an untrusted object can obtain access to the real global object.

Manual Review Advice: A vulnerability from this advisory is reachable if you host an application utilizing webpack and an attacker can control a property of an untrusted object

Fix: Upgrade this library to at least version 5.76.0 at core/core-web/yarn.lock:23001.

Reference(s): GHSA-hc6q-2mpp-qw7j, CVE-2023-28154

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.