CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
778 vulnerabilities reference this CWE, most recent first.
CVE-2026-25150 (GCVE-0-2026-25150)
Vulnerability from cvelistv5 – Published: 2026-02-03 21:12 – Updated: 2026-02-04 16:31- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| URL | Tags |
|---|---|
| https://github.com/QwikDev/qwik/security/advisori… | x_refsource_CONFIRM |
| https://github.com/QwikDev/qwik/commit/5f65bae2bc… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T16:31:38.732304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:31:46.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:12:50.417Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq"
},
{
"name": "https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7"
}
],
"source": {
"advisory": "GHSA-xqg6-98cw-gxhq",
"discovery": "UNKNOWN"
},
"title": "Prototype Pollution via FormData Processing in Qwik City"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25150",
"datePublished": "2026-02-03T21:12:50.417Z",
"dateReserved": "2026-01-29T15:39:11.821Z",
"dateUpdated": "2026-02-04T16:31:46.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25047 (GCVE-0-2026-25047)
Vulnerability from cvelistv5 – Published: 2026-01-29 21:39 – Updated: 2026-02-02 16:35- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| URL | Tags |
|---|---|
| https://github.com/sharpred/deepHas/security/advi… | x_refsource_CONFIRM |
| https://github.com/sharpred/deepHas/commit/8097fa… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25047",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:48:51.987434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:35:22.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deepHas",
"vendor": "sharpred",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T21:39:48.498Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"
},
{
"name": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"
}
],
"source": {
"advisory": "GHSA-2733-6c58-pf27",
"discovery": "UNKNOWN"
},
"title": "deepHas vulnerable to Prototype Pollution via constructor.prototype"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25047",
"datePublished": "2026-01-29T21:39:48.498Z",
"dateReserved": "2026-01-28T14:50:47.886Z",
"dateUpdated": "2026-02-02T16:35:22.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24888 (GCVE-0-2026-24888)
Vulnerability from cvelistv5 – Published: 2026-01-28 21:35 – Updated: 2026-01-29 18:00- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| URL | Tags |
|---|---|
| https://github.com/microsoft/maker.js/security/ad… | x_refsource_CONFIRM |
| https://github.com/microsoft/maker.js/commit/85e0… | x_refsource_MISC |
| https://github.com/microsoft/maker.js/blob/98cffa… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T16:02:22.958539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:00:53.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "maker.js",
"vendor": "microsoft",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T21:35:44.030Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx"
},
{
"name": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8"
},
{
"name": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241"
}
],
"source": {
"advisory": "GHSA-2cp6-34r9-54xx",
"discovery": "UNKNOWN"
},
"title": "Maker.js Vulnerable to Unsafe Property Copying in makerjs.extendObject"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24888",
"datePublished": "2026-01-28T21:35:44.030Z",
"dateReserved": "2026-01-27T19:35:20.528Z",
"dateUpdated": "2026-01-29T18:00:53.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24766 (GCVE-0-2026-24766)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:27 – Updated: 2026-01-29 18:01- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| URL | Tags |
|---|---|
| https://github.com/nocodb/nocodb/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T16:03:33.565162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:01:30.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nocodb",
"vendor": "nocodb",
"versions": [
{
"status": "affected",
"version": "\u003c 0.301.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:27:42.819Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"
}
],
"source": {
"advisory": "GHSA-95ff-46g6-6gw9",
"discovery": "UNKNOWN"
},
"title": "NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24766",
"datePublished": "2026-01-28T20:27:42.819Z",
"dateReserved": "2026-01-26T21:06:47.868Z",
"dateUpdated": "2026-01-29T18:01:30.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23736 (GCVE-0-2026-23736)
Vulnerability from cvelistv5 – Published: 2026-01-21 23:01 – Updated: 2026-01-22 14:45- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| URL | Tags |
|---|---|
| https://github.com/lxsmnsyc/seroval/security/advi… | x_refsource_CONFIRM |
| https://github.com/lxsmnsyc/seroval/commit/ce9408… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T14:45:46.259826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T14:45:53.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seroval",
"vendor": "lxsmnsyc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T23:01:45.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4"
},
{
"name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"
}
],
"source": {
"advisory": "GHSA-hj76-42vx-jwp4",
"discovery": "UNKNOWN"
},
"title": "seroval Affected by Prototype Pollution via JSON Deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23736",
"datePublished": "2026-01-21T23:01:10.114Z",
"dateReserved": "2026-01-15T15:45:01.957Z",
"dateUpdated": "2026-01-22T14:45:53.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21854 (GCVE-0-2026-21854)
Vulnerability from cvelistv5 – Published: 2026-01-07 18:14 – Updated: 2026-01-07 18:41| URL | Tags |
|---|---|
| https://github.com/the-hideout/tarkov-data-manage… | x_refsource_CONFIRM |
| https://github.com/the-hideout/tarkov-data-manage… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| the-hideout | tarkov-data-manager |
Affected:
<= 2.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21854",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T18:40:33.171789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T18:41:47.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tarkov-data-manager",
"vendor": "the-hideout",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T18:14:59.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73"
},
{
"name": "https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a"
}
],
"source": {
"advisory": "GHSA-r8w6-9xwg-6h73",
"discovery": "UNKNOWN"
},
"title": "Tarkov Data Manager Authentication Bypass vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21854",
"datePublished": "2026-01-07T18:14:59.375Z",
"dateReserved": "2026-01-05T16:44:16.366Z",
"dateUpdated": "2026-01-07T18:41:47.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15702 (GCVE-0-2026-15702)
Vulnerability from cvelistv5 – Published: 2026-07-14 16:45 – Updated: 2026-07-15 13:17 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378249 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378249/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15702 | third-party-advisory |
| https://vuldb.com/submit/856138 | third-party-advisory |
| https://github.com/tamagui/tamagui/issues/4029 | issue-tracking |
| https://github.com/tamagui/tamagui/commit/e46af98… | patch |
| https://github.com/tamagui/tamagui/releases/tag/v2.3.1 | patch |
| https://github.com/tamagui/tamagui/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15702",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:14:34.739861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:17:16.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tamagui:tamagui:*:*:*:*:*:*:*:*"
],
"product": "tamagui",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.3.0"
},
{
"status": "unaffected",
"version": "2.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wjm1 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes. The attack may be performed from remote. Upgrading to version 2.3.1 is able to mitigate this issue. The name of the patch is e46af9879b7627934ea4d6d6e46e65cea53abb3d. The affected component should be upgraded."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "Improperly Controlled Modification of Object Prototype Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T16:45:09.501Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378249 | tamagui config.ts updateConfig prototype pollution",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378249"
},
{
"name": "VDB-378249 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378249/cti"
},
{
"name": "CVE-2026-15702 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15702"
},
{
"name": "Submit #856138 | Node.js @tamagui/web 2.2.0 Prototype Pollution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/856138"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/tamagui/tamagui/issues/4029"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tamagui/tamagui/commit/e46af9879b7627934ea4d6d6e46e65cea53abb3d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tamagui/tamagui/releases/tag/v2.3.1"
},
{
"tags": [
"product"
],
"url": "https://github.com/tamagui/tamagui/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-14T07:34:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "tamagui config.ts updateConfig prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15702",
"datePublished": "2026-07-14T16:45:09.501Z",
"dateReserved": "2026-07-14T05:29:15.935Z",
"dateUpdated": "2026-07-15T13:17:16.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15699 (GCVE-0-2026-15699)
Vulnerability from cvelistv5 – Published: 2026-07-14 15:45 – Updated: 2026-07-14 17:52 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378246 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378246/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15699 | third-party-advisory |
| https://vuldb.com/submit/856016 | third-party-advisory |
| https://github.com/spencermountain/compromise/iss… | exploitissue-tracking |
| https://github.com/spencermountain/compromise/com… | patch |
| https://github.com/spencermountain/compromise/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| spencermountain | compromise |
Affected:
14.15.0
Affected: 14.15.1 cpe:2.3:a:spencermountain:compromise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15699",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T17:52:30.278025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T17:52:49.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:spencermountain:compromise:*:*:*:*:*:*:*:*"
],
"modules": [
"Public Root API"
],
"product": "compromise",
"vendor": "spencermountain",
"versions": [
{
"status": "affected",
"version": "14.15.0"
},
{
"status": "affected",
"version": "14.15.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wjm1 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in spencermountain compromise up to 14.15.1. Affected is the function nlp.extend of the file src/API/extend.js of the component Public Root API. The manipulation of the argument plugin leads to improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is b4644ab7179700df0607521f61c1ee9b5f78d89d. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "Improperly Controlled Modification of Object Prototype Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:45:08.286Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378246 | spencermountain compromise Public Root API extend.js nlp.extend prototype pollution",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378246"
},
{
"name": "VDB-378246 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378246/cti"
},
{
"name": "CVE-2026-15699 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15699"
},
{
"name": "Submit #856016 | Node.js compromise 14.15.1 Prototype Pollution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/856016"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/spencermountain/compromise/issues/1208"
},
{
"tags": [
"patch"
],
"url": "https://github.com/spencermountain/compromise/commit/b4644ab7179700df0607521f61c1ee9b5f78d89d"
},
{
"tags": [
"product"
],
"url": "https://github.com/spencermountain/compromise/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-14T07:17:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "spencermountain compromise Public Root API extend.js nlp.extend prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15699",
"datePublished": "2026-07-14T15:45:08.286Z",
"dateReserved": "2026-07-14T05:12:43.606Z",
"dateUpdated": "2026-07-14T17:52:49.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15698 (GCVE-0-2026-15698)
Vulnerability from cvelistv5 – Published: 2026-07-14 15:30 – Updated: 2026-07-14 16:26 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378245 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378245/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15698 | third-party-advisory |
| https://vuldb.com/submit/856014 | third-party-advisory |
| https://github.com/kofrasa/mingo/issues/606 | issue-tracking |
| https://github.com/kofrasa/mingo/commit/fadc39825… | patch |
| https://github.com/kofrasa/mingo/releases/tag/7.2.2 | patch |
| https://github.com/kofrasa/mingo/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T16:01:39.152033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T16:26:47.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kofrasa:mingo:*:*:*:*:*:*:*:*"
],
"modules": [
"Update API"
],
"product": "mingo",
"vendor": "kofrasa",
"versions": [
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.2.1"
},
{
"status": "unaffected",
"version": "7.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wjm1 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in kofrasa mingo up to 7.2.1. This impacts the function update/updateOne/updateMany of the component Update API. Executing a manipulation of the argument Set can lead to improperly controlled modification of object prototype attributes. The attack may be launched remotely. Upgrading to version 7.2.2 will fix this issue. This patch is called fadc398251792c2ba441cbc539f359fc7943c0c2. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "Improperly Controlled Modification of Object Prototype Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:30:10.077Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378245 | kofrasa mingo Update API updateMany prototype pollution",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378245"
},
{
"name": "VDB-378245 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378245/cti"
},
{
"name": "CVE-2026-15698 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15698"
},
{
"name": "Submit #856014 | Node.js mingo 7.2.1 Prototype Pollution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/856014"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kofrasa/mingo/issues/606"
},
{
"tags": [
"patch"
],
"url": "https://github.com/kofrasa/mingo/commit/fadc398251792c2ba441cbc539f359fc7943c0c2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/kofrasa/mingo/releases/tag/7.2.2"
},
{
"tags": [
"product"
],
"url": "https://github.com/kofrasa/mingo/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-14T07:13:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "kofrasa mingo Update API updateMany prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15698",
"datePublished": "2026-07-14T15:30:10.077Z",
"dateReserved": "2026-07-14T05:08:37.762Z",
"dateUpdated": "2026-07-14T16:26:47.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15697 (GCVE-0-2026-15697)
Vulnerability from cvelistv5 – Published: 2026-07-14 15:15 – Updated: 2026-07-15 14:47| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378244 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378244/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15697 | third-party-advisory |
| https://vuldb.com/submit/856013 | third-party-advisory |
| https://github.com/svgdotjs/svg.js/issues/1343 | issue-tracking |
| https://github.com/svgdotjs/svg.js/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:47:38.072686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:47:52.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*"
],
"modules": [
"npm Package API"
],
"product": "svg.js",
"vendor": "svgdotjs",
"versions": [
{
"status": "affected",
"version": "3.2.0"
},
{
"status": "affected",
"version": "3.2.1"
},
{
"status": "affected",
"version": "3.2.2"
},
{
"status": "affected",
"version": "3.2.3"
},
{
"status": "affected",
"version": "3.2.4"
},
{
"status": "affected",
"version": "3.2.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wjm1 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "Improperly Controlled Modification of Object Prototype Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:15:09.763Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378244 | svgdotjs svg.js npm Package API EventTarget.on prototype pollution",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378244"
},
{
"name": "VDB-378244 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378244/cti"
},
{
"name": "CVE-2026-15697 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15697"
},
{
"name": "Submit #856013 | Node.js @svgdotjs/svg.js 3.2.5 Prototype Pollution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/856013"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/svgdotjs/svg.js/issues/1343"
},
{
"tags": [
"product"
],
"url": "https://github.com/svgdotjs/svg.js/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-14T07:06:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "svgdotjs svg.js npm Package API EventTarget.on prototype pollution"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15697",
"datePublished": "2026-07-14T15:15:09.763Z",
"dateReserved": "2026-07-14T05:01:41.727Z",
"dateUpdated": "2026-07-15T14:47:52.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.