Versions of `m-server` before 1.4.2 are vulnerable to stored cross-site scripting. This vulnerability is exploitable if an attacker is able to control the name of a file that `m-server` is serving.

## Recommendation

Update to version 1.4.2 or later.

Affected Packages

npm m-server

Affected versions: 0 (fixed in 1.4.2)

Related CVEs

CVE-2018-16484

Key Information

GHSA ID

GHSA-gmxv-xf2q-6j8m

Published

February 7, 2019 6:16 PM

Last Modified

September 13, 2023 7:48 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

m-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.