Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by svgdotjs

    CVE-2026-15697 (GCVE-0-2026-15697)

    Vulnerability from nvd – Published: 2026-07-14 15:15 – Updated: 2026-07-15 14:47
    VLAI
    Title
    svgdotjs svg.js npm Package API EventTarget.on prototype pollution
    Summary
    A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378244 vdb-entrytechnical-description
    https://vuldb.com/vuln/378244/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15697 third-party-advisory
    https://vuldb.com/submit/856013 third-party-advisory
    https://github.com/svgdotjs/svg.js/issues/1343 issue-tracking
    https://github.com/svgdotjs/svg.js/ product
    Impacted products
    Vendor Product Version
    svgdotjs svg.js Affected: 3.2.0
    Affected: 3.2.1
    Affected: 3.2.2
    Affected: 3.2.3
    Affected: 3.2.4
    Affected: 3.2.5
        cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wjm1 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:47:38.072686Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:47:52.297Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "npm Package API"
              ],
              "product": "svg.js",
              "vendor": "svgdotjs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.2.0"
                },
                {
                  "status": "affected",
                  "version": "3.2.1"
                },
                {
                  "status": "affected",
                  "version": "3.2.2"
                },
                {
                  "status": "affected",
                  "version": "3.2.3"
                },
                {
                  "status": "affected",
                  "version": "3.2.4"
                },
                {
                  "status": "affected",
                  "version": "3.2.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "wjm1 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:15:09.763Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378244 | svgdotjs svg.js npm Package API EventTarget.on prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378244"
            },
            {
              "name": "VDB-378244 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378244/cti"
            },
            {
              "name": "CVE-2026-15697 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15697"
            },
            {
              "name": "Submit #856013 | Node.js @svgdotjs/svg.js 3.2.5 Prototype Pollution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/856013"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/svgdotjs/svg.js/issues/1343"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/svgdotjs/svg.js/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-14T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-14T07:06:45.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "svgdotjs svg.js npm Package API EventTarget.on prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15697",
        "datePublished": "2026-07-14T15:15:09.763Z",
        "dateReserved": "2026-07-14T05:01:41.727Z",
        "dateUpdated": "2026-07-15T14:47:52.297Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15697 (GCVE-0-2026-15697)

    Vulnerability from cvelistv5 – Published: 2026-07-14 15:15 – Updated: 2026-07-15 14:47
    VLAI
    Title
    svgdotjs svg.js npm Package API EventTarget.on prototype pollution
    Summary
    A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378244 vdb-entrytechnical-description
    https://vuldb.com/vuln/378244/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15697 third-party-advisory
    https://vuldb.com/submit/856013 third-party-advisory
    https://github.com/svgdotjs/svg.js/issues/1343 issue-tracking
    https://github.com/svgdotjs/svg.js/ product
    Impacted products
    Vendor Product Version
    svgdotjs svg.js Affected: 3.2.0
    Affected: 3.2.1
    Affected: 3.2.2
    Affected: 3.2.3
    Affected: 3.2.4
    Affected: 3.2.5
        cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wjm1 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:47:38.072686Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:47:52.297Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:svgdotjs:svg.js:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "npm Package API"
              ],
              "product": "svg.js",
              "vendor": "svgdotjs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.2.0"
                },
                {
                  "status": "affected",
                  "version": "3.2.1"
                },
                {
                  "status": "affected",
                  "version": "3.2.2"
                },
                {
                  "status": "affected",
                  "version": "3.2.3"
                },
                {
                  "status": "affected",
                  "version": "3.2.4"
                },
                {
                  "status": "affected",
                  "version": "3.2.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "wjm1 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T15:15:09.763Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378244 | svgdotjs svg.js npm Package API EventTarget.on prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378244"
            },
            {
              "name": "VDB-378244 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378244/cti"
            },
            {
              "name": "CVE-2026-15697 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15697"
            },
            {
              "name": "Submit #856013 | Node.js @svgdotjs/svg.js 3.2.5 Prototype Pollution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/856013"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/svgdotjs/svg.js/issues/1343"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/svgdotjs/svg.js/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-14T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-14T07:06:45.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "svgdotjs svg.js npm Package API EventTarget.on prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15697",
        "datePublished": "2026-07-14T15:15:09.763Z",
        "dateReserved": "2026-07-14T05:01:41.727Z",
        "dateUpdated": "2026-07-15T14:47:52.297Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }