Severity: Critical
CVSS Score: 9.8
The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.