CVE-2026-35209 vulnerabilities

Vulnerabilities for packages: renovate, jitsucom-jitsu, langfuse...

CVE-2026-35209

creationtimestamp| type| source ---|---|--- 2026-04-06 18:09:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mitud4tgjt2o 2026-04-06 18:23:56+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mitv4jr7ms2t 2026-04-06 18:24:21+00:00| seen|...

CVE-2026-35209

CVE-2026-35209 affects defu, a recursive defaults merger. Before v6.1.5, the vulnerable code path uses Object.assign({}, defaults) in _defu, which can trigger the proto setter and pollute the Object prototype, allowing attacker-controlled values to appear in the final result. The vulnerability ar...

@142vip/vue (>=0.1.6-alpha.11 <=0.1.6-alpha.12), @2digits/oxfmt-config (=0.3.0) +480 more potentially affected by CVE-2026-35209 via defu (>=6.0.0 <=6.1.4)

defu NPM version =6.0.0, =0.1.6-alpha.11, =0.0.1, =0.0.3, =1.0.0, =0.1.22, =0.1.23, =0.1.18, =0.1.21 and more Source cves: CVE-2026-35209 Source advisory: SNYK:JS-DEFU-15914644...

org.webjars.npm:listhen (=1.0.1), org.webjars.npm:radix-vue (=1.9.17) +5 more potentially affected by CVE-2026-35209 via org.webjars.npm:defu (=6.1.4)

org.webjars.npm:defu MAVEN version =6.1.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:defu and may be impacted: - org.webjars.npm:listhen =1.0.1 - org.webjars.npm:radix-vue =1.9.17 - org.webjars.npm:rc9 =2.0.0, =0.52.1, =0.52.3 Sour...