# PCI DSS 4.0 Compliance Report **Total Findings:** 712 **Requirements Affected:** 5 ## Executive Summary | Severity | Count | |----------|-------| | **CRITICAL** | 1 | | **HIGH** | 21 | | **MEDIUM** | 59 | | **LOW** | 9 | ## Findings by PCI DSS Requirement ### Requirement 6.2.4: Prevent XSS attacks in bespoke software **Priority:** CRITICAL **Findings:** 3 - **MEDIUM**: 3 findings **Top Findings:** 1. **[MEDIUM]** `CVE-2026-44580` - Next.js has cross-site scripting in beforeInteractive scripts with untrusted input - Location: `package-lock.json:0` 2. **[MEDIUM]** `CVE-2026-44581` - Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces - Location: `package-lock.json:0` 3. **[MEDIUM]** `CVE-2026-41305` - postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags - Location: `package-lock.json:0` --- ### Requirement 6.3.3: Security vulnerabilities are identified and managed **Priority:** CRITICAL **Findings:** 671 - **CRITICAL**: 1 findings - **HIGH**: 21 findings - **MEDIUM**: 18 findings **Top Findings:** 1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A - Location: `package-lock.json:0` 2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content - Location: `package-lock.json:0` 3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM - Location: `package-lock.json:0` 4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams - Location: `package-lock.json:0` 5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests - Location: `package-lock.json:0` --- ### Requirement 8.2.1: Verify user identity before credential modification **Priority:** HIGH **Findings:** 41 - **MEDIUM**: 41 findings **Top Findings:** 1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432 - Location: `/scan/.env.docker.production.example:0` 2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.env.local:0` 3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.env.docker.dev:0` 4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.env.docker.test:0` 5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0` --- ### Requirement 8.3.2: Strong cryptography for authentication credentials **Priority:** CRITICAL **Findings:** 41 - **MEDIUM**: 41 findings **Top Findings:** 1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432 - Location: `/scan/.env.docker.production.example:0` 2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.env.local:0` 3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.env.docker.dev:0` 4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.env.docker.test:0` 5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432 - Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0` --- ### Requirement 11.3.1: Internal vulnerability scans are performed **Priority:** HIGH **Findings:** 671 - **CRITICAL**: 1 findings - **HIGH**: 21 findings - **MEDIUM**: 18 findings **Top Findings:** 1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A - Location: `package-lock.json:0` 2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content - Location: `package-lock.json:0` 3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM - Location: `package-lock.json:0` 4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams - Location: `package-lock.json:0` 5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests - Location: `package-lock.json:0` --- ## Recommendations ### Critical Actions Required The following PCI DSS requirements have CRITICAL findings that must be addressed immediately: 1. **Requirement 6.3.3**: Security vulnerabilities are identified and managed - 1 CRITICAL findings 1. **Requirement 11.3.1**: Internal vulnerability scans are performed - 1 CRITICAL findings ### Compliance Status - **Requirements Passed**: N/A (manual validation required) - **Requirements with Findings**: 5 - **Requirements Not Tested**: N/A (scope determined by organization) ### Next Steps 1. **Remediate CRITICAL findings** within 24 hours (per PCI DSS remediation SLAs) 2. **Remediate HIGH findings** within 7 days 3. **Document compensating controls** for accepted risks 4. **Re-scan** after remediation to verify fixes 5. **Submit ASV scan report** to Qualified Security Assessor (if applicable) --- *This report was generated by JMo Security Audit Tool Suite.* *Report generation date: Auto-generated*