VYPR

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (503)

page 1 of 26
  • CVE-2026-34621HigKEVApr 11, 2026
    risk 0.69cvss 8.6epss 0.07

    Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user.…

  • CVE-2024-56059CriDec 18, 2024
    risk 0.66cvss 9.8epss 0.02

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.

  • CVE-2026-44005CriMay 13, 2026
    risk 0.65cvss 10.0epss 0.01

    vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets…

  • CVE-2025-63704CriMay 7, 2026
    risk 0.64cvss 9.8epss 0.00

    NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

  • CVE-2025-63703CriMay 7, 2026
    risk 0.64cvss 9.8epss 0.00

    npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

  • CVE-2024-52441CriNov 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a through <= 1.0.1.

  • CVE-2024-39011CriJul 30, 2024
    risk 0.64cvss 9.8epss 0.01

    Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.

  • CVE-2024-39014CriJul 1, 2024
    risk 0.64cvss 9.8epss 0.01

    ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-39013CriJul 1, 2024
    risk 0.64cvss 9.8epss 0.01

    2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-36582CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)

  • CVE-2024-36580CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.

  • CVE-2018-3753CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.01

    The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that…

  • CVE-2025-13158CriDec 26, 2025
    risk 0.60cvss epss 0.00

    Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to…

  • CVE-2026-53609CriJun 12, 2026
    risk 0.59cvss 9.1epss 0.00

    ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the…

  • CVE-2026-44791criMay 14, 2026
    risk 0.59cvss epss 0.01

    ## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43,…

  • CVE-2026-44789criMay 14, 2026
    risk 0.59cvss epss 0.01

    ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. ## Patches The issue…

  • CVE-2026-33864criMar 26, 2026
    risk 0.59cvss epss 0.01

    ### Summary A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute…

  • CVE-2026-33863criMar 26, 2026
    risk 0.59cvss epss 0.00

    ### Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g.…

  • CVE-2024-57077CriFeb 5, 2025
    risk 0.59cvss 9.1epss 0.00

    The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service…

  • CVE-2024-39008CriJul 1, 2024
    risk 0.58cvss 10.0epss 0.01

    robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.