5.4 KiB
PCI DSS 4.0 Compliance Report
Total Findings: 712 Requirements Affected: 5
Executive Summary
| Severity | Count |
|---|---|
| CRITICAL | 1 |
| HIGH | 21 |
| MEDIUM | 59 |
| LOW | 9 |
Findings by PCI DSS Requirement
Requirement 6.2.4: Prevent XSS attacks in bespoke software
Priority: CRITICAL Findings: 3
- MEDIUM: 3 findings
Top Findings:
-
[MEDIUM]
CVE-2026-44580- Next.js has cross-site scripting in beforeInteractive scripts with untrusted input- Location:
package-lock.json:0
- Location:
-
[MEDIUM]
CVE-2026-44581- Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces- Location:
package-lock.json:0
- Location:
-
[MEDIUM]
CVE-2026-41305- postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags- Location:
package-lock.json:0
- Location:
Requirement 6.3.3: Security vulnerabilities are identified and managed
Priority: CRITICAL Findings: 671
- CRITICAL: 1 findings
- HIGH: 21 findings
- MEDIUM: 18 findings
Top Findings:
-
[LOW]
CVE-2026-3449- @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A- Location:
package-lock.json:0
- Location:
-
[HIGH]
CVE-2026-44665- fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content- Location:
package-lock.json:0
- Location:
-
[MEDIUM]
CVE-2026-44664- fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM- Location:
package-lock.json:0
- Location:
-
[HIGH]
CVE-2025-47935- Multer vulnerable to Denial of Service via memory leaks from unclosed streams- Location:
package-lock.json:0
- Location:
-
[HIGH]
CVE-2025-47944- Multer vulnerable to Denial of Service from maliciously crafted requests- Location:
package-lock.json:0
- Location:
Requirement 8.2.1: Verify user identity before credential modification
Priority: HIGH Findings: 41
- MEDIUM: 41 findings
Top Findings:
-
[MEDIUM]
Postgres- postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432- Location:
/scan/.env.docker.production.example:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.env.local:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.env.docker.dev:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.env.docker.test:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0
- Location:
Requirement 8.3.2: Strong cryptography for authentication credentials
Priority: CRITICAL Findings: 41
- MEDIUM: 41 findings
Top Findings:
-
[MEDIUM]
Postgres- postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432- Location:
/scan/.env.docker.production.example:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.env.local:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.env.docker.dev:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.env.docker.test:0
- Location:
-
[MEDIUM]
Postgres- postgresql://postgres:password@postgres:5432- Location:
/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0
- Location:
Requirement 11.3.1: Internal vulnerability scans are performed
Priority: HIGH Findings: 671
- CRITICAL: 1 findings
- HIGH: 21 findings
- MEDIUM: 18 findings
Top Findings:
-
[LOW]
CVE-2026-3449- @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A- Location:
package-lock.json:0
- Location:
-
[HIGH]
CVE-2026-44665- fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content- Location:
package-lock.json:0
- Location:
-
[MEDIUM]
CVE-2026-44664- fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM- Location:
package-lock.json:0
- Location:
-
[HIGH]
CVE-2025-47935- Multer vulnerable to Denial of Service via memory leaks from unclosed streams- Location:
package-lock.json:0
- Location:
-
[HIGH]
CVE-2025-47944- Multer vulnerable to Denial of Service from maliciously crafted requests- Location:
package-lock.json:0
- Location:
Recommendations
Critical Actions Required
The following PCI DSS requirements have CRITICAL findings that must be addressed immediately:
-
Requirement 6.3.3: Security vulnerabilities are identified and managed
- 1 CRITICAL findings
-
Requirement 11.3.1: Internal vulnerability scans are performed
- 1 CRITICAL findings
Compliance Status
- Requirements Passed: N/A (manual validation required)
- Requirements with Findings: 5
- Requirements Not Tested: N/A (scope determined by organization)
Next Steps
- Remediate CRITICAL findings within 24 hours (per PCI DSS remediation SLAs)
- Remediate HIGH findings within 7 days
- Document compensating controls for accepted risks
- Re-scan after remediation to verify fixes
- Submit ASV scan report to Qualified Security Assessor (if applicable)
This report was generated by JMo Security Audit Tool Suite. Report generation date: Auto-generated