{"id":"CVE-2020-7729","details":"The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.","aliases":["GHSA-m5pj-vjjf-4m3h"],"modified":"2026-05-15T12:03:45.733392009Z","published":"2020-09-03T09:15:10.360Z","related":["CGA-q6pm-f4xr-2rv2","SNYK-JAVA-ORGWEBJARSNPM-607922","SNYK-JS-GRUNT-597546"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"],"vendor_product":"canonical:ubuntu_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"18.04"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","vendor_product":"debian:debian_linux"}]},"references":[{"type":"WEB","url":"https://github.com/gruntjs/grunt/blob/master/lib/grunt/file.js%23L249"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/09/msg00008.html"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-607922"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4595-1/"},{"type":"FIX","url":"https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-GRUNT-597546"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}