CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
478 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 8 of 10
- CVE-2024-39010CRITICALCVSS 9.8EG 9.82024-07-30
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary …
- CVE-2024-39011CRITICALCVSS 9.8EG 9.82024-07-30
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
- CVE-2024-39012CRITICALCVSS 9.8EG 9.82024-07-30
ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39013CRITICALCVSS 9.8EG 9.82024-07-01
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39014CRITICALCVSS 9.8EG 9.82024-07-01
ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39016HIGHCVSS 8.1EG 8.12024-07-01
che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-39018MEDIUMCVSS 6.3EG 6.32024-07-01
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary prop…
- CVE-2024-39853MEDIUMCVSS 6.5EG 6.52024-07-01
adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- CVE-2024-45277MEDIUMCVSS 4.3EG 4.32024-10-08
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanita…
- CVE-2024-45435CRITICALCVSS 9.8EG 9.82024-08-29
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.
- CVE-2024-45801HIGHCVSS 7.3EG 7.32024-09-16
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It …
- CVE-2024-45815MEDIUMCVSS 6.5EG 6.52024-09-17
Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query t…
- CVE-2024-48910CRITICALCVSS 9.1EG 9.12024-10-31
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
- CVE-2024-52441CRITICALCVSS 9.8EG 9.82024-11-20
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a through <= 1.0.1.
- CVE-2024-52810MEDIUMCVSS 6.9EG 0.02024-11-29
@intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.proto…
- CVE-2024-54156MEDIUMCVSS 4.2EG 4.22024-12-04
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
- CVE-2024-56059CRITICALCVSS 9.8EG 9.82024-12-18
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.
- CVE-2024-57063HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57064HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib…
- CVE-2024-57065HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57066HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57067HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57069HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57071HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57072HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57077CRITICALCVSS 9.1EG 9.12025-02-05
The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global pro…
- CVE-2024-57078HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57080HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57083HIGHCVSS 7.5EG 7.52025-03-28
A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57084HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57086HIGHCVSS 7.5EG 7.52025-02-05
A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2024-57708MEDIUMCVSS 5.7EG 5.72025-06-25
An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype poll…
- CVE-2025-13158CRITICALCVSS 9.3EG 0.02025-12-26
Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the …
- CVE-2025-13204HIGHCVSS 7.3EG 7.32025-11-14
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolv…
- CVE-2025-13465MEDIUMCVSS 5.3EG 5.32026-01-21
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion …
- CVE-2025-25014CRITICALCVSS 9.1EG 9.12025-05-06
A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
- CVE-2025-25015CRITICALCVSS 9.9EG 9.92025-03-05
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versi…
- CVE-2025-25975HIGHCVSS 7.5EG 7.52025-03-12
An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function
- CVE-2025-25977CRITICALCVSS 9.8EG 9.82025-03-10
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
- CVE-2025-26278HIGHCVSS 7.5EG 7.52025-09-25
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2025-26621HIGHCVSS 7.6EG 7.62025-05-19
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be…
- CVE-2025-27597HIGHCVSS 8.9EG 0.02025-03-07
Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.pro…
- CVE-2025-31475MEDIUMCVSS 5.5EG 5.52025-04-07
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed…
- CVE-2025-3193HIGHCVSS 7.5EG 7.52025-09-27
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error…
- CVE-2025-3197HIGHCVSS 7.3EG 7.32025-04-04
Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the …
- CVE-2025-32014MEDIUMCVSS 6.9EG 0.02025-04-07
estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead. This vulner…
- CVE-2025-34146HIGHCVSS 7.0EG 0.02025-07-31
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition…
- CVE-2025-3982MEDIUMCVSS 4.3EG 4.32025-04-27
A vulnerability, which was classified as problematic, was found in nortikin Sverchok 1.3.0. Affected is the function SvSetPropNodeMK2 of the file sverchok/nodes/object_nodes/getsetprop_mk2.py of the component Set Property Mk2 Node. The man…
- CVE-2025-48054MEDIUMCVSS 6.8EG 0.02025-05-27
Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could poten…
- CVE-2025-49223CRITICALCVSS 9.8EG 9.82025-06-04
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →