Command Injection Affecting lu2 package, versions >=0.0.0

Q: How to fix?

There is no fixed version for lu2 .

Threat Intelligence

2.14% (84^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-LU2-15285654
published16 Feb 2026
disclosed16 Feb 2026
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 16 Feb 2026

NewCVE-2026-2544 (opens in a new tab) CWE-78 (opens in a new tab)

How to fix?

There is no fixed version for lu2.

Overview

lu2 is a Simple and flexible UI component library based on native HTML and JavaScript

Affected versions of this package are vulnerable to Command Injection due to the use of child_process.exec function in run.js. An attacker can execute arbitrary operating system commands by supplying crafted input remotely.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None