CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.— MITRE CWE catalog
508 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 11 of 11
- CVE-2026-57926CRITICALCVSS 9.8EG 2.62026-06-26
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
- CVE-2026-59206HIGHCVSS 7.1EG 7.12026-07-09
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated user with the default workflow:create permission could pollute Object.prototype through a crafted workflow saved, updated, or impo…
- CVE-2026-59876MEDIUMCVSS 4.8EG 4.82026-07-08
protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key __proto…
- CVE-2026-6594HIGHCVSS 7.3EG 7.32026-04-20
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototyp…
- CVE-2026-6621HIGHCVSS 7.3EG 7.32026-04-20
A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype …
- CVE-2026-8161HIGHCVSS 7.5EG 7.52026-05-12
[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constru…
- CVE-2026-8657HIGHCVSS 8.2EG 8.22026-05-16
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted de…
- CVE-2026-9101MEDIUMCVSS 4.3EG 4.32026-05-20
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →