All versions of `sexstatic` are vulnerable to stored cross-site scripting (xss). This is exploitable if an attacker can control a filename that is served by `sexstatic`.

## Recommendation

As there is no fix is currently available for this vulnerability it is our recommendation to not install or used this module at this time.

Affected Packages

npm sexstatic

Affected versions: 0 (last affected: 0.6.2)

Related CVEs

CVE-2018-3755

Key Information

GHSA ID

GHSA-qfh2-6f7q-gr86

Published

October 1, 2018 4:30 PM

Last Modified

March 1, 2023 1:24 AM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

sexstatic

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:07 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.