CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

CWE-915

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (488)

page 8 of 25

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2019-0230	—	0.11	—	0.94	Sep 14, 2020	Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVE-2011-10019	Spree Spreecommerce	0.09	—	0.80	Aug 13, 2025	Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows…
CVE-2019-16328	—	0.09	—	0.73	Oct 3, 2019	In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.
CVE-2021-20086	—	0.04	—	0.50	Apr 23, 2021	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
CVE-2023-30533	—	0.01	—	0.09	Apr 24, 2023	SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
CVE-2023-26122	—	0.01	—	0.08	Apr 11, 2023	All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable…
CVE-2021-20083	Alrusdi Jquery Plugin Query Object	0.01	—	0.07	Apr 23, 2021	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype.
CVE-2019-10744	—	0.01	—	0.15	Jul 25, 2019	Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVE-2026-33696	N8n Io N8n	0.00	—	0.00	Mar 25, 2026	n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted…
CVE-2026-33228	—	0.00	—	0.00	Mar 20, 2026	flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array,…
CVE-2026-32886	Parse Community Parse Server	0.00	—	0.00	Mar 18, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the…
CVE-2026-32878	Parse Community Parse Server	0.00	—	0.00	Mar 18, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a…
CVE-2026-31865	Elysiajs Elysia	0.00	—	0.00	Mar 18, 2026	Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a…
CVE-2026-27524	OpenClaw Openclaw	0.00	—	0.00	Mar 18, 2026	OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass…
CVE-2026-30226	Sveltejs Devalue	0.00	—	0.00	Mar 11, 2026	Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful…
CVE-2026-30939	Parse Community Parse Server	0.00	—	0.00	Mar 10, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the…
CVE-2026-28794	Middleapi Orpc	0.00	—	0.01	Mar 6, 2026	oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote…
CVE-2026-27837	Mickhansen Dottie.js	0.00	—	0.00	Feb 26, 2026	Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an…
CVE-2026-27212	Nolimits4web Swiper	0.00	—	0.00	Feb 21, 2026	Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check…
CVE-2026-26021	Ahdinosaur Set In	0.00	—	0.00	Feb 11, 2026	set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input…

CVE-2019-0230Sep 14, 2020
risk 0.11cvss —epss 0.94
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVE-2011-10019Aug 13, 2025
Spree
Spreecommerce
risk 0.09cvss —epss 0.80
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows…
CVE-2019-16328Oct 3, 2019
risk 0.09cvss —epss 0.73
In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.
CVE-2021-20086Apr 23, 2021
risk 0.04cvss —epss 0.50
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
CVE-2023-30533Apr 24, 2023
risk 0.01cvss —epss 0.09
SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
CVE-2023-26122Apr 11, 2023
risk 0.01cvss —epss 0.08
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable…
CVE-2021-20083Apr 23, 2021
Alrusdi
Jquery Plugin Query Object
risk 0.01cvss —epss 0.07
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype.
CVE-2019-10744Jul 25, 2019
risk 0.01cvss —epss 0.15
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVE-2026-33696Mar 25, 2026
N8n Io
N8n
risk 0.00cvss —epss 0.00
n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted…
CVE-2026-33228Mar 20, 2026
risk 0.00cvss —epss 0.00
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array,…
CVE-2026-32886Mar 18, 2026
Parse Community
Parse Server
risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the…
CVE-2026-32878Mar 18, 2026
Parse Community
Parse Server
risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a…
CVE-2026-31865Mar 18, 2026
Elysiajs
Elysia
risk 0.00cvss —epss 0.00
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a…
CVE-2026-27524Mar 18, 2026
OpenClaw
Openclaw
risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass…
CVE-2026-30226Mar 11, 2026
Sveltejs
Devalue
risk 0.00cvss —epss 0.00
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful…
CVE-2026-30939Mar 10, 2026
Parse Community
Parse Server
risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the…
CVE-2026-28794Mar 6, 2026
Middleapi
Orpc
risk 0.00cvss —epss 0.01
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote…
CVE-2026-27837Feb 26, 2026
Mickhansen
Dottie.js
risk 0.00cvss —epss 0.00
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an…
CVE-2026-27212Feb 21, 2026
Nolimits4web
Swiper
risk 0.00cvss —epss 0.00
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check…
CVE-2026-26021Feb 11, 2026
Ahdinosaur
Set In
risk 0.00cvss —epss 0.00
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input…