Search Results (514 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-57354 2026-04-15 6.5 Medium
A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library's failure to properly validate or neutralize special characters in translation key inputs before processing.
CVE-2024-21529 1 Dset Project 1 Dset 2026-04-15 8.2 High
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
CVE-2024-36580 2026-04-15 9.8 Critical
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
CVE-2024-34273 1 Jwtk 1 Njwt 2026-04-15 5.9 Medium
njwt up to v0.4.0 was discovered to contain a prototype pollution in the Parser.prototype.parse method.
CVE-2024-29650 2026-04-15 9.8 Critical
An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components.
CVE-2024-57063 2026-04-15 7.5 High
A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-21489 2 Leeoniya, Redhat 4 Uplot, Rhel Aus, Rhel E4s and 1 more 2026-04-15 8.2 High
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
CVE-2024-57077 2026-04-15 9.1 Critical
The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.
CVE-2024-57071 2026-04-15 7.5 High
A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-57069 2026-04-15 7.5 High
A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-57065 2026-04-15 7.5 High
A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-57080 2026-04-15 7.5 High
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-21528 1 Redhat 1 Openshift Data Foundation 2026-04-15 5.9 Medium
All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization.
CVE-2024-21512 2026-04-15 8.2 High
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
CVE-2025-57820 1 Svelte 1 Devalue 2026-04-15 N/A
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2
CVE-2024-57708 2026-04-15 5.7 Medium
An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype pollution vulnerability.
CVE-2025-27597 1 Intlify 1 Vue-i18n 2026-04-15 N/A
Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.
CVE-2024-57072 2026-04-15 7.5 High
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2024-14020 1 Carboneio 1 Carbone 2026-04-15 5 Medium
A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue".
CVE-2024-39018 1 Harvey-woo 1 Key-serializer 2026-04-15 6.3 Medium
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.