PT-2026-40538

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2 Description Message constructors generate JavaScript functions that copy enumerable properties from a provided properties object without filtering the proto key. If an...

next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys

Summary setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys proto, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true...

Prototype Pollution

Overview org.webjars.npm:defu is a Recursively assign default properties. Lightweight and Fast! Affected versions of this package are vulnerable to Prototype Pollution via the defu function. An attacker can override default configuration values by supplying crafted input containing a proto key,...

PT-2026-30321

Name of the Vulnerable Software and Affected Versions defu versions prior to 6.1.5 Description Applications using the defu software are susceptible to prototype pollution when processing unsanitized user input, such as parsed JSON request bodies, database records, or config files from untrusted...

MikroORM has Prototype Pollution in Utils.merge

A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as proto, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when...

CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...

CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...

CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...

Locutus 安全漏洞

Locutus is an open-source JavaScript library developed by Locutus. Versions of Locutus prior to 3.0.25 contained security vulnerabilities. These vulnerabilities stemmed from the unserialize function not filtering the proto key, which could lead to prototype pollution, property injection, and...

DEBIAN-CVE-2026-33228

flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...

CVE-2026-33228

flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...

CVE-2026-25639 Axios affected by Denial of Service via __proto__ Key in mergeConfig

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious...

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Denial of Service via proto Key in mergeConfig Summary The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse, causing...

PT-2026-6499

Summary A Prototype Pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails to sanitize dangerous property names like proto , constructor, and...

messageformat has a prototype pollution vulnerability

The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special character...

OESA-2024-1338 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

SUSE CVE-2022-21824

Due to the formatting logic of the "console.table" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has...

AZL-44886 CVE-2022-46175 affecting package js-jquery 3.5.0-4

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand e.g. for config files. The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named proto, allowing specially crafted strings t...