## Critical 9.8 CVSS Vulnerability in cms-1.0.0.tgz, Dependencies Marked 'Unreachable' A critical security alert has been triggered for the file-based content management system `cms-1.0.0.tgz`. The scan reveals 36 total vulnerabilities, with the highest severity scoring a maximum 9.8 on the CVSS scale. The most severe finding, CVE-2026-25544, is classified as critical and originates from the transitive dependency `drizzle-3.54.0.tgz`. Crucially, the vulnerability analysis flags this and other findings as 'Unreachable,' a technical designation indicating the scanner could not confirm whether the vulnerable code path is directly accessible by an attacker, complicating the risk assessment. The vulnerability resides within the project's dependency chain, specifically in `/apps/cms/package.json`. The scan, conducted via Mend (formerly WhiteSource), shows that for the critical CVE-2026-25544, no fixed version is currently available ('N/A'), and no direct remediation is offered. The exploit maturity is listed as 'Not Defined,' and the Exploit Prediction Scoring System (EPSS) shows a less than 1% probability of exploitation in the wild, though the extreme base score warrants significant attention. This situation presents a high-severity but ambiguous risk profile for any project or deployment using this CMS package. The 'unreachable' status may delay or complicate patching priorities, as developers must manually audit whether the vulnerable `drizzle` library functions are actually in use. The presence of 36 vulnerabilities, with partial results shown due to reporting limits, signals a potentially outdated or poorly maintained dependency tree. Projects relying on this CMS must now weigh the critical base severity against the unclear exploit path, under pressure to either find workarounds, replace the dependency, or accept the latent risk. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, vulnerability, npm, dependencies, static-site-generator - **Credibility**: unverified - **Published**: 2026-04-11 02:22:37 - **ID**: 59706 - **URL**: https://whisperx.ai/en/intel/59706