CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
478 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 7 of 10
- CVE-2024-12629MEDIUMCVSS 4.1EG 4.12025-02-12
In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
- CVE-2024-14020MEDIUMCVSS 5.0EG 5.02026-01-07
A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improper…
- CVE-2024-21489HIGHCVSS 8.2EG 8.22024-10-01
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
- CVE-2024-21505HIGHCVSS 7.5EG 7.52024-03-25
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to…
- CVE-2024-21509MEDIUMCVSS 6.5EG 6.52024-04-10
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
- CVE-2024-21512HIGHCVSS 8.2EG 8.22024-05-29
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
- CVE-2024-21528MEDIUMCVSS 5.9EG 5.92024-09-10
All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper user input sanitization.
- CVE-2024-21529HIGHCVSS 8.2EG 8.22024-09-11
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Objec…
- CVE-2024-21548HIGHCVSS 7.5EG 7.52024-12-18
Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects. **Note:** This issue r…
- CVE-2024-22443HIGHCVSS 7.2EG 7.22024-07-24
A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could …
- CVE-2024-23339MEDIUMCVSS 6.3EG 6.32024-01-22
hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block att…
- CVE-2024-24292CRITICALCVSS 9.8EG 9.82025-03-28
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component.
- CVE-2024-24293HIGHCVSS 8.8EG 8.82024-05-20
A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.
- CVE-2024-2495MEDIUMCVSS 5.2EG 5.22024-03-15
Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.
- CVE-2024-27307CRITICALCVSS 9.8EG 9.82024-03-06
JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. Th…
- CVE-2024-29650CRITICALCVSS 9.8EG 9.82024-03-25
An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components.
- CVE-2024-29651HIGHCVSS 8.1EG 8.12024-05-20
A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions.
- CVE-2024-30564CRITICALCVSS 9.8EG 9.82024-04-18
An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.
- CVE-2024-32866HIGHCVSS 8.6EG 8.62024-04-23
Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigg…
- CVE-2024-33519HIGHCVSS 7.2EG 7.22024-07-24
A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vuln…
- CVE-2024-34148MEDIUMCVSS 6.8EG 6.82024-05-02
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.ke…
- CVE-2024-34273MEDIUMCVSS 5.9EG 5.92024-05-16
njwt up to v0.4.0 was discovered to contain a prototype pollution in the Parser.prototype.parse method.
- CVE-2024-34698MEDIUMCVSS 4.6EG 4.62024-05-14
FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQuery…
- CVE-2024-36572CRITICALCVSS 9.8EG 9.82024-07-30
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
- CVE-2024-36573CRITICALCVSS 9.8EG 9.82024-06-17
almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component.
- CVE-2024-36574MEDIUMCVSS 6.3EG 6.32024-06-17
A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42)
- CVE-2024-36577HIGHCVSS 8.3EG 8.32024-06-17
apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.
- CVE-2024-36578MEDIUMCVSS 5.9EG 5.92024-06-17
akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.
- CVE-2024-36580CRITICALCVSS 9.8EG 9.82024-06-17
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
- CVE-2024-36582CRITICALCVSS 9.8EG 9.82024-06-17
alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)
- CVE-2024-36583HIGHCVSS 8.1EG 8.12024-06-17
A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.
- CVE-2024-37287CRITICALCVSS 9.1EG 9.12024-08-13
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately le…
- CVE-2024-38983CRITICALCVSS 9.8EG 9.82024-07-30
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)
- CVE-2024-38984CRITICALCVSS 9.8EG 9.82024-07-30
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
- CVE-2024-38985CRITICALCVSS 9.8EG 9.82025-03-28
janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Serv…
- CVE-2024-38986CRITICALCVSS 9.8EG 9.82024-07-30
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
- CVE-2024-38987MEDIUMCVSS 6.3EG 6.32024-07-01
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38988CRITICALCVSS 9.8EG 9.82025-03-28
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting ar…
- CVE-2024-38989CRITICALCVSS 9.8EG 9.82024-08-12
izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38991HIGHCVSS 8.8EG 8.82024-07-01
akbr patch-into v1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38992HIGHCVSS 8.8EG 8.82024-07-01
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38993CRITICALCVSS 9.8EG 9.82024-07-01
rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38994HIGHCVSS 7.3EG 7.32024-07-01
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-38996CRITICALCVSS 9.8EG 9.82024-07-01
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via in…
- CVE-2024-38997MEDIUMCVSS 6.5EG 6.52024-07-01
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary prope…
- CVE-2024-38999CRITICALCVSS 10.0EG 10.02024-07-01
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary prop…
- CVE-2024-39000MEDIUMCVSS 6.5EG 6.52024-07-01
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39001MEDIUMCVSS 6.3EG 6.32024-07-01
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary…
- CVE-2024-39003HIGHCVSS 7.3EG 7.32024-07-01
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39008CRITICALCVSS 10.0EG 10.02024-07-01
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary propert…
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →