CWE-471
Modification of Assumed-Immutable Data (MAID)
Description
The product does not properly protect an assumed-immutable element from being modified by an attacker.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388
CVEs mapped to this weakness (23)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-3728 | — | Hig | 0.51 | 8.8 | 0.04 | Mar 30, 2018 | hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or… | |
| CVE-2018-3723 | — | Hig | 0.50 | 8.8 | 0.02 | Jun 7, 2018 | defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all… | |
| CVE-2018-3722 | — | Hig | 0.50 | 8.8 | 0.02 | Jun 7, 2018 | merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all… | |
| CVE-2018-3720 | — | Hig | 0.50 | 8.8 | 0.02 | Jun 7, 2018 | assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all… | |
| CVE-2018-3719 | — | Hig | 0.50 | 8.8 | 0.02 | Jun 7, 2018 | mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all… | |
| CVE-2024-9876 | Hig | 0.47 | 7.3 | 0.00 | Apr 30, 2025 | : Modification of Assumed-Immutable Data (MAID) vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4. | ||
| CVE-2024-57708 | Med | 0.40 | 5.7 | 0.01 | Jun 25, 2025 | An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype pollution vulnerability. | ||
| CVE-2026-54267 | hig | 0.39 | — | 0.00 | Jun 15, 2026 | To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports **Hydration** via `provideClientHydration()`. During SSR, Angular serializes the application's runtime state (such as cached `HttpClient` responses) and outputs it into the HTML stream… | ||
| CVE-2026-44798 | Hig | 0.39 | 7.1 | 0.00 | May 28, 2026 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable.… | ||
| CVE-2018-3721 | — | Med | 0.35 | 6.5 | 0.02 | Jun 7, 2018 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of… | |
| CVE-2026-8492 | Low | 0.18 | 2.7 | 0.00 | May 19, 2026 | Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5. | ||
| CVE-2024-34517 | — | 0.00 | — | 0.01 | May 7, 2024 | The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. | ||
| CVE-2022-2390 | — | 0.00 | — | 0.00 | Aug 12, 2022 | Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let… | ||
| CVE-2020-28477 | — | 0.00 | — | 0.02 | Jan 19, 2021 | This affects all versions of package immer. | ||
| CVE-2020-26268 | 0.00 | — | 0.00 | Dec 10, 2020 | In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries… | |||
| CVE-2020-26245 | 0.00 | — | 0.02 | Nov 27, 2020 | npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be… | |||
| CVE-2020-26237 | 0.00 | — | 0.01 | Nov 24, 2020 | Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during… | |||
| CVE-2020-8268 | — | 0.00 | — | 0.01 | Nov 9, 2020 | Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor. | ||
| CVE-2020-15256 | — | 0.00 | — | 0.02 | Oct 19, 2020 | A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of… | ||
| CVE-2020-8158 | — | 0.00 | — | 0.02 | Sep 18, 2020 | Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. |
- risk 0.51cvss 8.8epss 0.04
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or…
- risk 0.50cvss 8.8epss 0.02
defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…
- risk 0.50cvss 8.8epss 0.02
merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…
- risk 0.50cvss 8.8epss 0.02
assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…
- risk 0.50cvss 8.8epss 0.02
mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…
- risk 0.47cvss 7.3epss 0.00
: Modification of Assumed-Immutable Data (MAID) vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.
- risk 0.40cvss 5.7epss 0.01
An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype pollution vulnerability.
- risk 0.39cvss —epss 0.00
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports **Hydration** via `provideClientHydration()`. During SSR, Angular serializes the application's runtime state (such as cached `HttpClient` responses) and outputs it into the HTML stream…
- risk 0.39cvss 7.1epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable.…
- risk 0.35cvss 6.5epss 0.02
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of…
- risk 0.18cvss 2.7epss 0.00
Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
- CVE-2024-34517May 7, 2024risk 0.00cvss —epss 0.01
The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access.
- CVE-2022-2390Aug 12, 2022risk 0.00cvss —epss 0.00
Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let…
- CVE-2020-28477Jan 19, 2021risk 0.00cvss —epss 0.02
This affects all versions of package immer.
- CVE-2020-26268Dec 10, 2020risk 0.00cvss —epss 0.00
In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries…
- CVE-2020-26245Nov 27, 2020risk 0.00cvss —epss 0.02
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be…
- CVE-2020-26237Nov 24, 2020risk 0.00cvss —epss 0.01
Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during…
- CVE-2020-8268Nov 9, 2020risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
- CVE-2020-15256Oct 19, 2020risk 0.00cvss —epss 0.02
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of…
- CVE-2020-8158Sep 18, 2020risk 0.00cvss —epss 0.02
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.