VYPR

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (503)

page 2 of 26
  • CVE-2024-38999CriJul 1, 2024
    risk 0.58cvss 10.0epss 0.01

    jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2026-42232HigMay 4, 2026
    risk 0.57cvss 8.8epss 0.00

    n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes…

  • CVE-2026-42231HigMay 4, 2026
    risk 0.57cvss 8.8epss 0.01

    n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission…

  • CVE-2026-33994CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute…

  • CVE-2026-33993CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__`…

  • CVE-2026-32621CriMar 16, 2026
    risk 0.57cvss 9.9epss 0.01

    Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A…

  • CVE-2026-29063CriMar 6, 2026
    risk 0.57cvss 9.8epss 0.01

    Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions…

  • CVE-2026-1774CriFeb 10, 2026
    risk 0.57cvss 9.8epss 0.01

    CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.

  • CVE-2024-38989CriAug 12, 2024
    risk 0.57cvss 9.8epss 0.01

    izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-38992HigJul 1, 2024
    risk 0.57cvss 8.8epss 0.01

    airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-38991HigJul 1, 2024
    risk 0.57cvss 8.8epss 0.01

    akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-36573CriJun 17, 2024
    risk 0.57cvss 9.8epss 0.01

    almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component.

  • CVE-2024-24293HigMay 20, 2024
    risk 0.57cvss 8.8epss 0.01

    A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.

  • CVE-2024-24294CriMay 20, 2024
    risk 0.57cvss 9.8epss 0.01

    A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js.

  • CVE-2024-30564CriApr 18, 2024
    risk 0.57cvss 9.8epss 0.01

    An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.

  • CVE-2024-29650CriMar 25, 2024
    risk 0.57cvss 9.8epss 0.01

    An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components.

  • CVE-2020-28271CriNov 12, 2020
    risk 0.57cvss 9.8epss 0.03

    Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2018-11135HigMay 31, 2018
    risk 0.57cvss 8.8epss 0.02

    The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

  • CVE-2026-34622HigApr 14, 2026
    risk 0.56cvss 8.6epss 0.00

    Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current…

  • CVE-2025-8083HigDec 12, 2025
    risk 0.56cvss 8.6epss 0.00

    The Preset configuration https://v2.vuetifyjs.com/en/features/presets  feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html  due to the internal 'mergeDeep' utility function…