Total
314 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20087 | 1 Acemetrix | 1 Jquery-deparam | 2025-08-14 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2025-55164 | 2025-08-12 | N/A | N/A | ||
| content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature. | |||||
| CVE-2025-26621 | 1 Citeum | 1 Opencti | 2025-08-06 | N/A | 6.8 MEDIUM |
| OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype pollution, making the node js server running the OpenCTI frontend become unavailable. Version 6.5.2 fixes the issue. | |||||
| CVE-2025-8101 | 2025-07-25 | N/A | N/A | ||
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2. | |||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2025-07-22 | N/A | 7.8 HIGH |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | |||||
| CVE-2024-11628 | 1 Progress | 1 Kendo Ui For Vue | 2025-06-27 | N/A | 7.2 HIGH |
| In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | |||||
| CVE-2024-12629 | 1 Progress | 1 Kendoreact | 2025-06-27 | N/A | 7.2 HIGH |
| In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | |||||
| CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2025-06-03 | N/A | 9.8 CRITICAL |
| In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | |||||
| CVE-2025-5150 | 1 Linuxfoundation | 1 Docarray | 2025-06-03 | N/A | 8.8 HIGH |
| A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-37265 | 1 Stealjs | 1 Steal | 2025-05-28 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | |||||
| CVE-2020-36604 | 1 Hapijs | 1 Hoek | 2025-05-27 | N/A | 8.1 HIGH |
| hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | |||||
| CVE-2025-48054 | 2025-05-27 | N/A | N/A | ||
| Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. | |||||
| CVE-2022-21169 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2025-05-21 | N/A | 6.1 MEDIUM |
| The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | |||||
| CVE-2022-37611 | 1 Gh-pages Project | 1 Gh-pages | 2025-05-15 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js. | |||||
| CVE-2022-37602 | 1 Grunt-karma Project | 1 Grunt-karma | 2025-05-15 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js. | |||||
| CVE-2022-37614 | 1 Mockery Project | 1 Mockery | 2025-05-15 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js. | |||||
| CVE-2025-3982 | 1 Nortikin | 1 Sverchok | 2025-05-12 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as problematic, was found in nortikin Sverchok 1.3.0. Affected is the function SvSetPropNodeMK2 of the file sverchok/nodes/object_nodes/getsetprop_mk2.py of the component Set Property Mk2 Node. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-37621 | 1 Browserify-shim Project | 1 Browserify-shim | 2025-05-07 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js. | |||||
| CVE-2022-37623 | 1 Browserify-shim Project | 1 Browserify-shim | 2025-05-06 | N/A | 9.8 CRITICAL |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js. | |||||
| CVE-2022-42743 | 1 Deep-parse-json Project | 1 Deep-parse-json | 2025-05-05 | N/A | 5.3 MEDIUM |
| deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. | |||||