Search Results (520 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-36580 2026-04-15 9.8 Critical
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
CVE-2024-34273 1 Jwtk 1 Njwt 2026-04-15 5.9 Medium
njwt up to v0.4.0 was discovered to contain a prototype pollution in the Parser.prototype.parse method.
CVE-2025-62517 1 Rollbar 1 Rollbar 2026-04-15 5.9 Medium
Rollbar.js offers error tracking and logging from Javascript to Rollbar. In versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5, there is a prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible. This issue has been fixed in versions 2.26.5 and 3.0.0-beta5. A workaround involves ensuring that values passed to rollbar.configure() do not contain untrusted input.
CVE-2024-21529 1 Dset Project 1 Dset 2026-04-15 8.2 High
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
CVE-2024-24293 1 Miguelcastillo 1 Bit-loader 2026-04-15 8.8 High
A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.
CVE-2024-38991 1 Akbr 1 Patch-into 2026-04-15 8.8 High
akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-38989 1 Izatop 1 Bunt 2026-04-15 9.8 Critical
izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-57063 2026-04-15 7.5 High
A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2025-53626 2026-04-15 6.1 Medium
pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.
CVE-2024-21512 2026-04-15 8.2 High
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
CVE-2025-57352 2026-04-15 5.3 Medium
A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.
CVE-2024-38992 1 Airvert Thuan 1 Frappejs 2026-04-15 8.8 High
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2025-68130 1 Trpc 1 Trpc 2026-04-15 N/A
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
CVE-2024-39014 1 Cahilfoley 1 Utils 2026-04-15 9.8 Critical
ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-36578 1 Akbr 1 Update 2026-04-15 5.9 Medium
akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.
CVE-2024-57080 2026-04-15 7.5 High
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-38987 1 Ageoflearning 1 Cli-lib 2026-04-15 6.3 Medium
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-39013 1 2o3t 1 2o3t-utility 2026-04-15 9.8 Critical
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-57078 2026-04-15 7.5 High
A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-39018 1 Harvey-woo 1 Key-serializer 2026-04-15 6.3 Medium
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.