Severity: Critical
CVSS Score: 5.4
This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()