Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

779 vulnerabilities reference this CWE, most recent first.

CVE-2026-15697 (GCVE-0-2026-15697)

Vulnerability from cvelistv5 – Published: 2026-07-14 15:15 – Updated: 2026-07-15 14:47
VLAI
Title
svgdotjs svg.js npm Package API EventTarget.on prototype pollution
Summary
A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
URL Tags
https://vuldb.com/vuln/378244 vdb-entrytechnical-description
https://vuldb.com/vuln/378244/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15697 third-party-advisory
https://vuldb.com/submit/856013 third-party-advisory
https://github.com/svgdotjs/svg.js/issues/1343 issue-tracking
https://github.com/svgdotjs/svg.js/ product
Impacted products
Vendor Product Version
svgdotjs svg.js Affected: 3.2.0
Affected: 3.2.1
Affected: 3.2.2
Affected: 3.2.3
Affected: 3.2.4
Affected: 3.2.5
    cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
wjm1 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15697",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T14:47:38.072686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T14:47:52.297Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "npm Package API"
          ],
          "product": "svg.js",
          "vendor": "svgdotjs",
          "versions": [
            {
              "status": "affected",
              "version": "3.2.0"
            },
            {
              "status": "affected",
              "version": "3.2.1"
            },
            {
              "status": "affected",
              "version": "3.2.2"
            },
            {
              "status": "affected",
              "version": "3.2.3"
            },
            {
              "status": "affected",
              "version": "3.2.4"
            },
            {
              "status": "affected",
              "version": "3.2.5"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "wjm1 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T15:15:09.763Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-378244 | svgdotjs svg.js npm Package API EventTarget.on prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/378244"
        },
        {
          "name": "VDB-378244 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/378244/cti"
        },
        {
          "name": "CVE-2026-15697 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15697"
        },
        {
          "name": "Submit #856013 | Node.js @svgdotjs/svg.js 3.2.5 Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/856013"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/svgdotjs/svg.js/issues/1343"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/svgdotjs/svg.js/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-14T07:06:45.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "svgdotjs svg.js npm Package API EventTarget.on prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15697",
    "datePublished": "2026-07-14T15:15:09.763Z",
    "dateReserved": "2026-07-14T05:01:41.727Z",
    "dateUpdated": "2026-07-15T14:47:52.297Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15607 (GCVE-0-2026-15607)

Vulnerability from cvelistv5 – Published: 2026-07-13 23:00 – Updated: 2026-07-15 15:49 X_Open Source
VLAI
Title
tanstack db Alias Path select.ts select prototype pollution
Summary
A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded. A patch should be applied to remediate this issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
Impacted products
Vendor Product Version
tanstack db Affected: 0.6.0
Affected: 0.6.1
Affected: 0.6.2
Affected: 0.6.3
Affected: 0.6.4
Affected: 0.6.5
Affected: 0.6.6
Affected: 0.6.7
Affected: 0.6.8
    cpe:2.3:a:tanstack:db:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Dremig (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15607",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T15:41:35.306130Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T15:49:45.254Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:tanstack:db:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Alias Path Handler"
          ],
          "product": "db",
          "vendor": "tanstack",
          "versions": [
            {
              "status": "affected",
              "version": "0.6.0"
            },
            {
              "status": "affected",
              "version": "0.6.1"
            },
            {
              "status": "affected",
              "version": "0.6.2"
            },
            {
              "status": "affected",
              "version": "0.6.3"
            },
            {
              "status": "affected",
              "version": "0.6.4"
            },
            {
              "status": "affected",
              "version": "0.6.5"
            },
            {
              "status": "affected",
              "version": "0.6.6"
            },
            {
              "status": "affected",
              "version": "0.6.7"
            },
            {
              "status": "affected",
              "version": "0.6.8"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dremig (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded. A patch should be applied to remediate this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T23:00:15.192Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-378115 | tanstack db Alias Path select.ts select prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/378115"
        },
        {
          "name": "VDB-378115 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/378115/cti"
        },
        {
          "name": "CVE-2026-15607 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15607"
        },
        {
          "name": "Submit #855677 | Node.js @tanstack/db 0.6.8 Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/855677"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/TanStack/db/issues/1584"
        },
        {
          "tags": [
            "issue-tracking",
            "patch"
          ],
          "url": "https://github.com/TanStack/db/pull/1595"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TanStack/db/commit/ac09b1177a100eafa85cba3cd09dd1f53f933ded"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/TanStack/db/"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-13T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-13T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-13T17:45:22.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "tanstack db Alias Path select.ts select prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15607",
    "datePublished": "2026-07-13T23:00:15.192Z",
    "dateReserved": "2026-07-13T15:40:19.194Z",
    "dateUpdated": "2026-07-15T15:49:45.254Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15598 (GCVE-0-2026-15598)

Vulnerability from cvelistv5 – Published: 2026-07-13 22:00 – Updated: 2026-07-14 13:01
VLAI
Title
antv layout object.js setNestedValue prototype pollution
Summary
A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
URL Tags
https://vuldb.com/vuln/378113 vdb-entrytechnical-description
https://vuldb.com/vuln/378113/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15598 third-party-advisory
https://vuldb.com/submit/855637 third-party-advisory
https://github.com/antvis/layout/issues/292 issue-tracking
Impacted products
Vendor Product Version
antv layout Affected: 2.0.0
    cpe:2.3:a:antv:layout:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Dremig (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15598",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T13:01:05.118517Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T13:01:23.090Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/antvis/layout/issues/292"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:antv:layout:*:*:*:*:*:*:*:*"
          ],
          "product": "layout",
          "vendor": "antv",
          "versions": [
            {
              "status": "affected",
              "version": "2.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dremig (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T22:00:11.338Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-378113 | antv layout object.js setNestedValue prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/378113"
        },
        {
          "name": "VDB-378113 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/378113/cti"
        },
        {
          "name": "CVE-2026-15598 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15598"
        },
        {
          "name": "Submit #855637 | Node.js @antv/layout 2.0.0 Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/855637"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/antvis/layout/issues/292"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-13T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-13T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-13T16:13:50.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "antv layout object.js setNestedValue prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15598",
    "datePublished": "2026-07-13T22:00:11.338Z",
    "dateReserved": "2026-07-13T14:08:46.995Z",
    "dateUpdated": "2026-07-14T13:01:23.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15538 (GCVE-0-2026-15538)

Vulnerability from cvelistv5 – Published: 2026-07-13 06:00 – Updated: 2026-07-13 15:22 Unsupported When Assigned
VLAI
Title
primefaces primereact API ObjectUtils.mutateFieldData prototype pollution
Summary
A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
Impacted products
Vendor Product Version
primefaces primereact Affected: 10.9.0
Affected: 10.9.1
Affected: 10.9.2
Affected: 10.9.3
Affected: 10.9.4
Affected: 10.9.5
Affected: 10.9.6
Affected: 10.9.7
Affected: 10.9.8
    cpe:2.3:a:primefaces:primereact:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Dremig (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15538",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T15:21:54.694785Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T15:22:07.104Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:primefaces:primereact:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "API"
          ],
          "product": "primereact",
          "vendor": "primefaces",
          "versions": [
            {
              "status": "affected",
              "version": "10.9.0"
            },
            {
              "status": "affected",
              "version": "10.9.1"
            },
            {
              "status": "affected",
              "version": "10.9.2"
            },
            {
              "status": "affected",
              "version": "10.9.3"
            },
            {
              "status": "affected",
              "version": "10.9.4"
            },
            {
              "status": "affected",
              "version": "10.9.5"
            },
            {
              "status": "affected",
              "version": "10.9.6"
            },
            {
              "status": "affected",
              "version": "10.9.7"
            },
            {
              "status": "affected",
              "version": "10.9.8"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dremig (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-13T06:00:11.115Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377888 | primefaces primereact API ObjectUtils.mutateFieldData prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377888"
        },
        {
          "name": "VDB-377888 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377888/cti"
        },
        {
          "name": "CVE-2026-15538 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15538"
        },
        {
          "name": "Submit #855024 | Node.js primereact 10.9.8 Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/855024"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/primefaces/primereact/issues/8553"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/Mantle-UI/mantle-ui/issues/50"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/primefaces/primereact/"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-12T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-12T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-12T20:08:10.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "primefaces primereact API ObjectUtils.mutateFieldData prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15538",
    "datePublished": "2026-07-13T06:00:11.115Z",
    "dateReserved": "2026-07-12T18:03:07.553Z",
    "dateUpdated": "2026-07-13T15:22:07.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15195 (GCVE-0-2026-15195)

Vulnerability from cvelistv5 – Published: 2026-07-09 17:15 – Updated: 2026-07-09 18:23 X_Open Source
VLAI
Title
apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution
Summary
A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
Impacted products
Vendor Product Version
apidevtools json-schema-ref-parser Affected: 15.3.0
Affected: 15.3.1
Affected: 15.3.2
Affected: 15.3.3
Affected: 15.3.4
Affected: 15.3.5
Unaffected: 15.3.6
    cpe:2.3:a:apidevtools:json-schema-ref-parser:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Dremig (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15195",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T18:22:56.575261Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T18:23:06.195Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/APIDevTools/json-schema-ref-parser/issues/421"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:apidevtools:json-schema-ref-parser:*:*:*:*:*:*:*:*"
          ],
          "product": "json-schema-ref-parser",
          "vendor": "apidevtools",
          "versions": [
            {
              "status": "affected",
              "version": "15.3.0"
            },
            {
              "status": "affected",
              "version": "15.3.1"
            },
            {
              "status": "affected",
              "version": "15.3.2"
            },
            {
              "status": "affected",
              "version": "15.3.3"
            },
            {
              "status": "affected",
              "version": "15.3.4"
            },
            {
              "status": "affected",
              "version": "15.3.5"
            },
            {
              "status": "unaffected",
              "version": "15.3.6"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dremig (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T17:15:08.989Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377123 | apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377123"
        },
        {
          "name": "VDB-377123 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377123/cti"
        },
        {
          "name": "CVE-2026-15195 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15195"
        },
        {
          "name": "Submit #851809 | Node.js @apidevtools/json-schema-ref-parser 15.3.5 Improperly Controlled Modification of Object Prototype Attribute",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/851809"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/APIDevTools/json-schema-ref-parser/issues/421"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/APIDevTools/json-schema-ref-parser/commit/a786bc6afc3674f650496472ee93d5cf74c4bd84"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/APIDevTools/json-schema-ref-parser/releases/tag/v15.3.6"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/APIDevTools/json-schema-ref-parser/"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-09T08:05:56.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15195",
    "datePublished": "2026-07-09T17:15:08.989Z",
    "dateReserved": "2026-07-09T06:00:53.324Z",
    "dateUpdated": "2026-07-09T18:23:06.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15187 (GCVE-0-2026-15187)

Vulnerability from cvelistv5 – Published: 2026-07-09 14:30 – Updated: 2026-07-09 16:07
VLAI
Title
enquirer Public Package API Enquirer.set prototype pollution
Summary
A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object prototype attributes. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
Impacted products
Vendor Product Version
n/a enquirer Affected: 2.4.0
Affected: 2.4.1
    cpe:2.3:a:enquirer:enquirer:*:*:*:*:*:*:*:*
Credits
Dremig (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-15187",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T16:07:18.764860Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T16:07:24.338Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:enquirer:enquirer:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Public Package API"
          ],
          "product": "enquirer",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "2.4.0"
            },
            {
              "status": "affected",
              "version": "2.4.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Dremig (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object prototype attributes. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T14:30:09.080Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377113 | enquirer Public Package API Enquirer.set prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377113"
        },
        {
          "name": "VDB-377113 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377113/cti"
        },
        {
          "name": "CVE-2026-15187 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15187"
        },
        {
          "name": "Submit #851357 | Node.js enquirer 2.4.1 Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/851357"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/enquirer/enquirer/issues/487"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/enquirer/enquirer/issues/487#issuecomment-4648521328"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/enquirer/enquirer/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-09T07:20:00.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "enquirer Public Package API Enquirer.set prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15187",
    "datePublished": "2026-07-09T14:30:09.080Z",
    "dateReserved": "2026-07-09T05:14:13.888Z",
    "dateUpdated": "2026-07-09T16:07:24.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12209 (GCVE-0-2026-12209)

Vulnerability from cvelistv5 – Published: 2026-06-15 02:15 – Updated: 2026-06-15 12:52
VLAI
Title
RubyLouvre avalon Template Filter index.js prototype pollution
Summary
A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
Impacted products
Vendor Product Version
RubyLouvre avalon Affected: 2.2.0
Affected: 2.2.1
Affected: 2.2.2
Affected: 2.2.3
Affected: 2.2.4
Affected: 2.2.5
Affected: 2.2.6
Affected: 2.2.7
Affected: 2.2.8
Affected: 2.2.9
Affected: 2.2.10
    cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Frederick (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12209",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T12:52:08.917862Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T12:52:28.046Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Template Filter Handler"
          ],
          "product": "avalon",
          "vendor": "RubyLouvre",
          "versions": [
            {
              "status": "affected",
              "version": "2.2.0"
            },
            {
              "status": "affected",
              "version": "2.2.1"
            },
            {
              "status": "affected",
              "version": "2.2.2"
            },
            {
              "status": "affected",
              "version": "2.2.3"
            },
            {
              "status": "affected",
              "version": "2.2.4"
            },
            {
              "status": "affected",
              "version": "2.2.5"
            },
            {
              "status": "affected",
              "version": "2.2.6"
            },
            {
              "status": "affected",
              "version": "2.2.7"
            },
            {
              "status": "affected",
              "version": "2.2.8"
            },
            {
              "status": "affected",
              "version": "2.2.9"
            },
            {
              "status": "affected",
              "version": "2.2.10"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Frederick (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T02:15:07.361Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370851 | RubyLouvre avalon Template Filter index.js prototype pollution",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/370851"
        },
        {
          "name": "VDB-370851 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370851/cti"
        },
        {
          "name": "CVE-2026-12209 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12209"
        },
        {
          "name": "Submit #832447 | RubyLouvre avalon 0.9.9 - 2.2.10 Code Injection / Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/832447"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/OriginSecurityX/avalon-filter-rce"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-14T14:32:59.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "RubyLouvre avalon Template Filter index.js prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12209",
    "datePublished": "2026-06-15T02:15:07.361Z",
    "dateReserved": "2026-06-14T12:27:55.933Z",
    "dateUpdated": "2026-06-15T12:52:28.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12208 (GCVE-0-2026-12208)

Vulnerability from cvelistv5 – Published: 2026-06-15 02:00 – Updated: 2026-06-15 19:25
VLAI
Title
jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution
Summary
A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94 - Code Injection
Assigner
References
URL Tags
https://vuldb.com/vuln/370850 vdb-entrytechnical-description
https://vuldb.com/vuln/370850/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12208 third-party-advisory
https://vuldb.com/submit/832446 third-party-advisory
https://github.com/OriginSecurityX/jsonata-hasown… exploit
Impacted products
Vendor Product Version
jsonata-js jsonata Affected: 2.0
Affected: 2.1
Affected: 2.2.0
    cpe:2.3:a:jsonata-js:jsonata:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Frederick (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12208",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T15:59:05.825392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T19:25:11.446Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:jsonata-js:jsonata:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Function Binding Frame System"
          ],
          "product": "jsonata",
          "vendor": "jsonata-js",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "2.1"
            },
            {
              "status": "affected",
              "version": "2.2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Frederick (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled modification of object prototype attributes. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Improperly Controlled Modification of Object Prototype Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T02:00:08.916Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370850 | jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/370850"
        },
        {
          "name": "VDB-370850 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370850/cti"
        },
        {
          "name": "CVE-2026-12208 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12208"
        },
        {
          "name": "Submit #832446 | jsonata-js jsonata 2.2.0 Prototype Pollution",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/832446"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/OriginSecurityX/jsonata-hasownproperty-bypass"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-14T14:30:41.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12208",
    "datePublished": "2026-06-15T02:00:08.916Z",
    "dateReserved": "2026-06-14T12:25:38.149Z",
    "dateUpdated": "2026-06-15T19:25:11.446Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9101 (GCVE-0-2026-9101)

Vulnerability from cvelistv5 – Published: 2026-05-20 16:18 – Updated: 2026-05-27 13:10
VLAI
Title
Prototype pollution in csv parsing
Summary
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
Vendor Product Version
MongoDB, Inc. Compass Affected: 1.36.3
Affected: 1.36.4
Affected: 1.37.0
Affected: 1.38.0
Affected: 1.38.1
Affected: 1.38.2
Affected: 1.39.0
Affected: 1.39.1
Affected: 1.39.2
Affected: 1.39.3
Affected: 1.39.4
Affected: 1.40.0
Affected: 1.40.1
Affected: 1.40.2
Affected: 1.40.3
Affected: 1.40.4
Affected: 1.41.0
Affected: 1.42.0
Affected: 1.42.1
Affected: 1.42.2
Affected: 1.42.3
Affected: 1.42.5
Affected: 1.43.0
Affected: 1.43.1
Affected: 1.43.2
Affected: 1.43.3
Affected: 1.43.4
Affected: 1.43.5
Affected: 1.43.6
Affected: 1.44.0
Affected: 1.44.3
Affected: 1.44.4
Affected: 1.44.5
Affected: 1.44.6
Affected: 1.44.7
Affected: 1.45.0
Affected: 1.45.1
Affected: 1.45.2
Affected: 1.45.3
Affected: 1.45.4
Affected: 1.46.0
Affected: 1.46.1
Affected: 1.46.2
Affected: 1.46.3
Affected: 1.46.4
Affected: 1.46.5
Affected: 1.46.6
Affected: 1.46.7
Affected: 1.46.8
Affected: 1.46.9
Affected: 1.46.10
Affected: 1.46.11
Affected: 1.47.0
Affected: 1.47.1
Affected: 1.48.0
Affected: 1.48.1
Affected: 1.48.2
Affected: 1.49.0
Affected: 1.49.1
Affected: 1.49.2
Affected: 1.49.3
Affected: 1.49.4
Affected: 1.49.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9101",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-23T03:55:43.091186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:10:03.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Compass",
          "vendor": "MongoDB, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "1.36.3"
            },
            {
              "status": "affected",
              "version": "1.36.4"
            },
            {
              "status": "affected",
              "version": "1.37.0"
            },
            {
              "status": "affected",
              "version": "1.38.0"
            },
            {
              "status": "affected",
              "version": "1.38.1"
            },
            {
              "status": "affected",
              "version": "1.38.2"
            },
            {
              "status": "affected",
              "version": "1.39.0"
            },
            {
              "status": "affected",
              "version": "1.39.1"
            },
            {
              "status": "affected",
              "version": "1.39.2"
            },
            {
              "status": "affected",
              "version": "1.39.3"
            },
            {
              "status": "affected",
              "version": "1.39.4"
            },
            {
              "status": "affected",
              "version": "1.40.0"
            },
            {
              "status": "affected",
              "version": "1.40.1"
            },
            {
              "status": "affected",
              "version": "1.40.2"
            },
            {
              "status": "affected",
              "version": "1.40.3"
            },
            {
              "status": "affected",
              "version": "1.40.4"
            },
            {
              "status": "affected",
              "version": "1.41.0"
            },
            {
              "status": "affected",
              "version": "1.42.0"
            },
            {
              "status": "affected",
              "version": "1.42.1"
            },
            {
              "status": "affected",
              "version": "1.42.2"
            },
            {
              "status": "affected",
              "version": "1.42.3"
            },
            {
              "status": "affected",
              "version": "1.42.5"
            },
            {
              "status": "affected",
              "version": "1.43.0"
            },
            {
              "status": "affected",
              "version": "1.43.1"
            },
            {
              "status": "affected",
              "version": "1.43.2"
            },
            {
              "status": "affected",
              "version": "1.43.3"
            },
            {
              "status": "affected",
              "version": "1.43.4"
            },
            {
              "status": "affected",
              "version": "1.43.5"
            },
            {
              "status": "affected",
              "version": "1.43.6"
            },
            {
              "status": "affected",
              "version": "1.44.0"
            },
            {
              "status": "affected",
              "version": "1.44.3"
            },
            {
              "status": "affected",
              "version": "1.44.4"
            },
            {
              "status": "affected",
              "version": "1.44.5"
            },
            {
              "status": "affected",
              "version": "1.44.6"
            },
            {
              "status": "affected",
              "version": "1.44.7"
            },
            {
              "status": "affected",
              "version": "1.45.0"
            },
            {
              "status": "affected",
              "version": "1.45.1"
            },
            {
              "status": "affected",
              "version": "1.45.2"
            },
            {
              "status": "affected",
              "version": "1.45.3"
            },
            {
              "status": "affected",
              "version": "1.45.4"
            },
            {
              "status": "affected",
              "version": "1.46.0"
            },
            {
              "status": "affected",
              "version": "1.46.1"
            },
            {
              "status": "affected",
              "version": "1.46.2"
            },
            {
              "status": "affected",
              "version": "1.46.3"
            },
            {
              "status": "affected",
              "version": "1.46.4"
            },
            {
              "status": "affected",
              "version": "1.46.5"
            },
            {
              "status": "affected",
              "version": "1.46.6"
            },
            {
              "status": "affected",
              "version": "1.46.7"
            },
            {
              "status": "affected",
              "version": "1.46.8"
            },
            {
              "status": "affected",
              "version": "1.46.9"
            },
            {
              "status": "affected",
              "version": "1.46.10"
            },
            {
              "status": "affected",
              "version": "1.46.11"
            },
            {
              "status": "affected",
              "version": "1.47.0"
            },
            {
              "status": "affected",
              "version": "1.47.1"
            },
            {
              "status": "affected",
              "version": "1.48.0"
            },
            {
              "status": "affected",
              "version": "1.48.1"
            },
            {
              "status": "affected",
              "version": "1.48.2"
            },
            {
              "status": "affected",
              "version": "1.49.0"
            },
            {
              "status": "affected",
              "version": "1.49.1"
            },
            {
              "status": "affected",
              "version": "1.49.2"
            },
            {
              "status": "affected",
              "version": "1.49.3"
            },
            {
              "status": "affected",
              "version": "1.49.4"
            },
            {
              "status": "affected",
              "version": "1.49.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
            }
          ],
          "value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T16:18:10.689Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://jira.mongodb.org/browse/COMPASS-10657"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Prototype pollution in csv parsing",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2026-9101",
    "datePublished": "2026-05-20T16:18:10.689Z",
    "dateReserved": "2026-05-20T16:03:25.137Z",
    "dateUpdated": "2026-05-27T13:10:03.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8161 (GCVE-0-2026-8161)

Vulnerability from cvelistv5 – Published: 2026-05-12 08:50 – Updated: 2026-05-12 12:32
VLAI
Title
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
Summary
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-248 - Uncaught Exception
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
Impacted products
Vendor Product Version
multiparty multiparty Affected: 0 , ≤ 4.2.3 (semver)
Unaffected: 4.3.0 (semver)
Create a notification for this product.
Credits
Ser0n-ath Sebastian Beltran kq5y Byambadalai Sumiya Blake Embrey Ulises Gascón
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8161",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T12:31:39.867190Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:32:10.127Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/multiparty",
          "product": "multiparty",
          "vendor": "multiparty",
          "versions": [
            {
              "lessThanOrEqual": "4.2.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ser0n-ath"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Sebastian Beltran"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "kq5y"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Byambadalai Sumiya"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Blake Embrey"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ulises Gasc\u00f3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher."
            }
          ],
          "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T08:50:37.685Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-8161",
    "datePublished": "2026-05-12T08:50:37.685Z",
    "dateReserved": "2026-05-08T10:38:20.438Z",
    "dateUpdated": "2026-05-12T12:32:10.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.