npm package
set-in
pkg:npm/set-in
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26021 | — | >= 2.0.1, < 2.0.5 | 2.0.5 | Feb 11, 2026 | set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input con | ||
| CVE-2022-25354 | — | < 2.0.3 | 2.0.3 | Mar 17, 2022 | The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-104 | ||
| CVE-2020-28273 | — | < 2.0.1 | 2.0.1 | Dec 2, 2020 | Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution. |
- CVE-2026-26021Feb 11, 2026affected >= 2.0.1, < 2.0.5fixed 2.0.5
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input con
- CVE-2022-25354Mar 17, 2022affected < 2.0.3fixed 2.0.3
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-104
- CVE-2020-28273Dec 2, 2020affected < 2.0.1fixed 2.0.1
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.