CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.— MITRE CWE catalog
508 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 10 of 11
- CVE-2026-25521CRITICALCVSS 9.3EG 8.82026-02-04
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigat…
- CVE-2026-25754HIGHCVSS 7.2EG 7.22026-02-06
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. T…
- CVE-2026-25881CRITICALCVSS 9.0EG 9.02026-02-09
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a …
- CVE-2026-26021CRITICALCVSS 9.8EG 9.82026-02-11
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pol…
- CVE-2026-27524MEDIUMCVSS 4.3EG 4.32026-03-18
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to m…
- CVE-2026-29063CRITICALCVSS 9.8EG 9.82026-03-06
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. Th…
- CVE-2026-33228CRITICALCVSS 9.8EG 9.82026-03-20
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the inter…
- CVE-2026-34621HIGHCVSS 8.6EG 9.6⚠ KEV2026-04-11
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the …
- CVE-2026-34622HIGHCVSS 8.6EG 8.62026-04-14
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code exe…
- CVE-2026-34626MEDIUMCVSS 6.3EG 6.32026-04-14
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file sys…
- CVE-2026-35209HIGHCVSS 7.5EG 7.52026-04-06
defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) a…
- CVE-2026-40190CRITICALCVSS 9.8EG 5.62026-04-10
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() ut…
- CVE-2026-41238MEDIUMCVSS 6.9EG 6.92026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default confi…
- CVE-2026-41690HIGHCVSS 8.6EG 8.62026-05-08
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hostin…
- CVE-2026-42033HIGHCVSS 7.4EG 7.42026-04-24
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silen…
- CVE-2026-42035HIGHCVSS 7.4EG 7.42026-04-24
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers int…
- CVE-2026-42041MEDIUMCVSS 6.5EG 4.82026-04-24
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP…
- CVE-2026-42044CRITICALCVSS 9.1EG 6.52026-04-24
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependen…
- CVE-2026-42077MEDIUMCVSS 5.2EG 5.22026-05-04
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious …
- CVE-2026-42231HIGHCVSS 8.8EG 8.82026-05-04
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payloa…
- CVE-2026-42232HIGHCVSS 8.8EG 8.82026-05-04
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RC…
- CVE-2026-42264CRITICALCVSS 9.1EG 7.42026-05-08
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via dir…
- CVE-2026-44005CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and …
- CVE-2026-44290HIGHCVSS 7.5EG 7.52026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf sc…
- CVE-2026-44292MEDIUMCVSS 5.3EG 5.32026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key…
- CVE-2026-44483HIGHCVSS 8.2EG 8.22026-05-27
RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not…
- CVE-2026-44489MEDIUMCVSS 5.3EG 5.32026-05-29
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setPro…
- CVE-2026-44490HIGHCVSS 8.2EG 8.22026-05-29
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lo…
- CVE-2026-44494HIGHCVSS 8.7EG 8.72026-05-29
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's depende…
- CVE-2026-44495HIGHCVSS 7.0EG 7.02026-05-29
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has…
- CVE-2026-44789CRITICALCVSS 9.9EG 9.92026-06-23
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter…
- CVE-2026-44791CRITICALCVSS 9.9EG 9.92026-06-23
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with ot…
- CVE-2026-44966CRITICALCVSS 9.8EG 8.32026-05-26
Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Veloci…
- CVE-2026-45302HIGHCVSS 8.2EG 8.22026-05-18
parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved p…
- CVE-2026-46509HIGHCVSS 8.2EG 8.22026-05-28
deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerabil…
- CVE-2026-46510HIGHCVSS 8.2EG 8.22026-05-18
form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field w…
- CVE-2026-46625HIGHCVSS 7.5EG 7.52026-05-21
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the…
- CVE-2026-48713CRITICALCVSS 9.1EG 9.12026-06-15
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFil…
- CVE-2026-48714CRITICALCVSS 9.1EG 9.12026-06-15
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and p…
- CVE-2026-49252CRITICALCVSS 9.9EG 9.92026-06-18
deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation fr…
- CVE-2026-53609CRITICALCVSS 9.1EG 9.12026-06-12
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary v…
- CVE-2026-53676HIGHCVSS 7.2EG 7.22026-06-17
ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN).
- CVE-2026-54306MEDIUMCVSS 6.4EG 6.42026-06-16
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, a prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object cop…
- CVE-2026-54312HIGHCVSS 8.5EG 8.52026-06-16
n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as th…
- CVE-2026-54639HIGHCVSS 8.8EG 8.82026-06-24
Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `convertTokenData(tokens, { output: 'obje…
- CVE-2026-54756MEDIUMCVSS 6.3EG 6.32026-07-01
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied op…
- CVE-2026-55388HIGHCVSS 8.1EG 8.12026-06-18
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's o…
- CVE-2026-55886MEDIUMCVSS 6.3EG 6.32026-06-18
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.set(chain, value, obj), which walks the dot…
- CVE-2026-56763MEDIUMCVSS 4.8EG 4.82026-07-11
Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using u…
- CVE-2026-57439MEDIUMCVSS 5.0EG 5.02026-07-08
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with …
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →