Total
446 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61140 | 1 Dchester | 1 Jsonpath | 2026-02-09 | 9.8 Critical |
| The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | ||||
| CVE-2026-24888 | 1 Microsoft | 1 Maker.js | 2026-02-09 | 6.5 Medium |
| Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. | ||||
| CVE-2026-25754 | 1 Adonisjs | 1 Bodyparser | 2026-02-09 | 7.2 High |
| AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | ||||
| CVE-2026-24766 | 1 Nocodb | 1 Nocodb | 2026-02-04 | 4.9 Medium |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue. | ||||
| CVE-2026-21854 | 1 Tarkov | 1 Tarkov Data Manager | 2026-02-03 | 9.8 Critical |
| The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | ||||
| CVE-2025-64718 | 2 Js-yaml, Nodeca | 2 Js-yaml, Js-yaml | 2026-02-02 | 5.3 Medium |
| js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default). | ||||
| CVE-2025-13204 | 2 Expr-eval Project, Silentmatt | 2 Expr-eval, Javascript Expression Evaluator | 2026-01-08 | 7.3 High |
| npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue. | ||||
| CVE-2025-13158 | 1 Apidocjs | 1 Apidoc-core | 2025-12-29 | N/A |
| Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules. | ||||
| CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2025-12-24 | 9.8 Critical |
| In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | ||||
| CVE-2025-68130 | 1 Trpc | 1 Trpc | 2025-12-18 | N/A |
| tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue. | ||||
| CVE-2025-66456 | 1 Elysiajs | 1 Elysia | 2025-12-17 | 9.8 Critical |
| Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body. | ||||
| CVE-2025-8083 | 1 Vuetifyjs | 1 Vuetify | 2025-12-15 | 8.6 High |
| The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data. If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process. This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ . | ||||
| CVE-2024-27307 | 1 Jsonata | 1 Jsonata | 2025-12-04 | 9.8 Critical |
| JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually. | ||||
| CVE-2025-8101 | 1 Linkify | 1 Linkify | 2025-12-03 | 8.6 High |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2. | ||||
| CVE-2023-0842 | 1 Xml2js Project | 1 Xml2js | 2025-12-03 | 5.3 Medium |
| xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. | ||||
| CVE-2022-41713 | 1 Deep-object-diff Project | 1 Deep-object-diff | 2025-12-03 | 5.3 Medium |
| deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited. | ||||
| CVE-2022-42743 | 1 Deep-parse-json Project | 1 Deep-parse-json | 2025-12-03 | 5.3 Medium |
| deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. | ||||
| CVE-2022-41714 | 1 Fastest-json-copy Project | 1 Fastest-json-copy | 2025-12-03 | 5.3 Medium |
| fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. | ||||
| CVE-2019-10768 | 2 Angularjs, Redhat | 4 Angularjs, Amq Broker, Jboss Fuse and 1 more | 2025-11-20 | 7.5 High |
| In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. | ||||
| CVE-2011-10019 | 1 Spreecommerce | 1 Spree | 2025-11-20 | 9.8 Critical |
| Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication. | ||||