CVE-2021-26275: 
JavaScript vulnerability analysis and mitigation

The eslint-fixer package through version 0.1.5 for Node.js contains a critical command injection vulnerability that allows attackers to execute arbitrary commands via shell metacharacters to the fix function. This vulnerability was discovered in March 2021 and affects all versions up to and including 0.1.5. The package is no longer maintained, and the GitHub repository has been intentionally deleted (NVD, NPM Package).

The vulnerability has been assigned CVE-2021-26275 with a CVSS v3.1 base score of 9.8 (CRITICAL), indicating a high-severity security issue. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command Injection). The issue stems from insufficient input validation in the fix function, which allows injection of shell metacharacters that can be used to execute arbitrary system commands (NVD).

The vulnerability allows attackers to execute arbitrary commands on the system where the package is installed. Given the CVSS score of 9.8, this represents a critical security risk that could lead to complete system compromise, as it allows command execution with the privileges of the process running the Node.js application (NVD).

Since the package is no longer maintained and the repository has been intentionally deleted, the recommended mitigation is to immediately discontinue use of the eslint-fixer package and remove it from any projects where it is implemented. Users should seek alternative solutions for ESLint fixing functionality (NVD).