RSEC-2026-0

See a problem?

Import Source

https://github.com/RConsortium/r-advisory-database/blob/main/vulns/widgetframe/RSEC-2026-0.yaml

JSON Data

https://api.osv.dev/v1/vulns/RSEC-2026-0

Upstream

CVE-2018-1000086

Published

2026-02-18T10:30:00Z

Modified

2026-02-18T22:30:36.922343Z

Summary

Cross-site Request Forgery (CSRF) vulnerability

Details

The widgetframe R package is exposed to a vulnerability due to its use of the Pym.js library version 1.3.1. This can result in arbitrary javascript code execution.

References

https://nvd.nist.gov/vuln/detail/CVE-2018-1000086
https://blog.apps.npr.org/2018/02/15/pym-security-vulnerability.html
https://github.com/trafficonese/widgetframe/issues/12
https://github.com/trafficonese/widgetframe/pull/13

Affected packages

CRAN / widgetframe

Package

Name: widgetframe
Purl: pkg:cran/widgetframe

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.3.1

Database specific

source

"https://github.com/RConsortium/r-advisory-database/blob/main/vulns/widgetframe/RSEC-2026-0.yaml"