Critical severityNVD Advisory· Published Feb 11, 2026· Updated Feb 12, 2026
Prototype pollution in set-in
CVE-2026-26021
Description
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
set-innpm | >= 2.0.1, < 2.0.5 | 2.0.5 |
Affected products
2- Range: >= 2.0.1, < 2.0.5
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-2c4m-g7rx-63q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26021ghsaADVISORY
- github.com/ahdinosaur/set-in/commit/34842cc02de3fd65d6f8bd0b268347e7b390125bghsaWEB
- github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24ghsaWEB
- github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3dghsax_refsource_MISCWEB
- github.com/ahdinosaur/set-in/commit/d87c1a09fa2edb55cd76440a67d83d1cb828df11ghsaWEB
- github.com/ahdinosaur/set-in/pull/6ghsaWEB
- github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.