Total
443 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32014 | 2025-04-08 | N/A | N/A | ||
|
estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3.
|
|||||
| CVE-2025-3197 | 2025-04-07 | N/A | 7.3 HIGH | ||
|
Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.
|
|||||
| CVE-2025-25977 | 1 Canvg | 1 Canvg | 2025-03-25 | N/A | 9.8 CRITICAL |
|
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
|
|||||
| CVE-2024-57077 | 2025-03-24 | N/A | 9.1 CRITICAL | ||
|
The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.
|
|||||
| CVE-2024-2495 | 1 Friendlyelec | 1 Friendlywrt | 2025-03-24 | N/A | 5.2 MEDIUM |
|
Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.
|
|||||
| CVE-2023-23917 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-12 | N/A | 8.8 HIGH |
|
A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well.
|
|||||
| CVE-2023-26102 | 1 Rangy Project | 1 Rangy | 2025-03-11 | N/A | 7.5 HIGH |
|
All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype
|
|||||
| CVE-2023-26105 | 1 Utilities Project | 1 Utilities | 2025-03-11 | N/A | 7.5 HIGH |
|
All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
|
|||||
| CVE-2024-57064 | 2025-03-10 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.
|
|||||
| CVE-2025-27597 | 2025-03-07 | N/A | N/A | ||
|
Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the li ...
Show More |
|||||
| CVE-2023-26106 | 1 Dot-lens Project | 1 Dot-lens | 2025-03-05 | N/A | 7.5 HIGH |
|
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file.
|
|||||
| CVE-2020-7709 | 1 Manuelstofer | 1 Json-pointer | 2025-03-05 | 6.5 MEDIUM | 6.0 MEDIUM |
|
This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.
|
|||||
| CVE-2023-26121 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-10 | N/A | 7.5 HIGH |
|
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.
|
|||||
| CVE-2023-26122 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-07 | N/A | 8.8 HIGH |
|
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation.
Exploiting this vulnerability might result in remote code execution ("RCE").
**Vulnerable functions:**
__defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().
|
|||||
| CVE-2024-57084 | 2025-02-07 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57086 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57080 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57071 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57069 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57078 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57072 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57067 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57066 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57065 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2024-57063 | 2025-02-06 | N/A | 7.5 HIGH | ||
|
A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
|
|||||
| CVE-2023-30533 | 1 Sheetjs | 1 Sheetjs | 2025-02-04 | N/A | 7.8 HIGH |
|
SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
|
|||||
| CVE-2023-30363 | 1 Tencent | 1 Vconsole | 2025-02-03 | N/A | 9.8 CRITICAL |
|
vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
|
|||||
| CVE-2024-54156 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 4.2 MEDIUM |
|
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
|
|||||
| CVE-2023-2582 | 1 Strikingly | 1 Strikingly | 2025-01-28 | N/A | 6.1 MEDIUM |
|
A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting (XSS) in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the __proto__ or constructor properties and the Object prototype. By leveraging an embedded gadget like jQuery, an attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript ...
Show More |
|||||
| CVE-2021-3918 | 2 Debian, Json-schema Project | 2 Debian Linux, Json-schema | 2025-01-17 | 7.5 HIGH | 9.8 CRITICAL |
|
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
|||||
| CVE-2024-34698 | 1 Freescout | 1 Freescout | 2025-01-10 | N/A | 4.6 MEDIUM |
|
FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along wit ...
Show More |
|||||
| CVE-2023-26133 | 1 Progressbar.js Project | 1 Progressbar.js | 2025-01-06 | N/A | 8.2 HIGH |
|
All versions of the package progressbar.js are vulnerable to Prototype Pollution via the function extend() in the file utils.js.
|
|||||
| CVE-2023-26132 | 1 Dottie Project | 1 Dottie | 2025-01-06 | N/A | 7.5 HIGH |
|
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.
|
|||||
| CVE-2024-45815 | 1 Linuxfoundation | 1 Backstage | 2025-01-03 | N/A | 6.5 MEDIUM |
|
Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2024-56059 | 2024-12-18 | N/A | 9.8 CRITICAL | ||
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mighty Digital Partners allows Object Injection.This issue affects Partners: from n/a through 0.2.0.
|
|||||
| CVE-2024-52810 | 2024-11-29 | N/A | N/A | ||
|
@intlify/shared is a shared library for the intlify project. The latest version of @intlify/shared (10.0.4) is vulnerable to Prototype Pollution through the entry function(s) lib.deepCopy. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) as the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the lib ...
Show More |
|||||
| CVE-2024-52441 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn allows Object Injection.This issue affects Quick Learn: from n/a through 1.0.1.
|
|||||
| CVE-2024-39018 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-39016 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-39014 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||