Export limit exceeded: 354383 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (494 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-57065 | 2026-04-15 | 7.5 High | ||
| A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||||
| CVE-2024-52810 | 1 Intlify | 1 Vue-i18n | 2026-04-15 | N/A |
| @intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) as the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. This issue has been addressed in versions 9.14.2, and 10.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-36583 | 1 Byondreal | 1 Accessor | 2026-04-15 | 8.1 High |
| A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index. | ||||
| CVE-2024-36582 | 1 Alykoshin | 1 Mini-deep-assign | 2026-04-15 | 9.8 Critical |
| alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js) | ||||
| CVE-2024-36578 | 1 Akbr | 1 Update | 2026-04-15 | 5.9 Medium |
| akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js. | ||||
| CVE-2024-36577 | 1 Apphp | 1 Apphp Js-object-resolver | 2026-04-15 | 8.3 High |
| apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty. | ||||
| CVE-2024-36574 | 1 Amirziai | 1 Flatten Json | 2026-04-15 | 6.3 Medium |
| A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42) | ||||
| CVE-2024-36573 | 1 Almela | 1 Obx | 2026-04-15 | 9.8 Critical |
| almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component. | ||||
| CVE-2024-36580 | 2026-04-15 | 9.8 Critical | ||
| A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code. | ||||
| CVE-2024-29651 | 1 Apidevtools | 1 Json-schema-ref-parser | 2026-04-15 | 8.1 High |
| A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions. | ||||
| CVE-2024-29650 | 2026-04-15 | 9.8 Critical | ||
| An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components. | ||||
| CVE-2025-62410 | 1 Capricorn86 | 1 Happy-dom | 2026-04-15 | 10.0 Critical |
| In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2. | ||||
| CVE-2024-14020 | 1 Carboneio | 1 Carbone | 2026-04-15 | 5 Medium |
| A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue". | ||||
| CVE-2024-21489 | 2 Leeoniya, Redhat | 4 Uplot, Rhel Aus, Rhel E4s and 1 more | 2026-04-15 | 8.2 High |
| Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype. | ||||
| CVE-2024-21505 | 2026-04-15 | 7.5 High | ||
| Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions. | ||||
| CVE-2024-21512 | 2026-04-15 | 8.2 High | ||
| Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables. | ||||
| CVE-2024-21528 | 1 Redhat | 1 Openshift Data Foundation | 2026-04-15 | 5.9 Medium |
| All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization. | ||||
| CVE-2024-21529 | 1 Dset Project | 1 Dset | 2026-04-15 | 8.2 High |
| Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. | ||||
| CVE-2024-21548 | 2026-04-15 | 7.5 High | ||
| Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects. **Note:** This issue relates to the widely known and actively developed 'Bun' JavaScript runtime. The bun package on NPM at versions 0.0.12 and below belongs to a different and older project that happened to claim the 'bun' name in the past. | ||||
| CVE-2024-24293 | 1 Miguelcastillo | 1 Bit-loader | 2026-04-15 | 8.8 High |
| A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js. | ||||