CVE-2026-6594

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The...

@brikcss/rollup-config-generator (>=0.0.15 <=0.0.16), @brikcss/stakcss (>=0.0.0 <=0.9.1) +9 more potentially affected by CVE-2026-6594 via @brikcss/merge (>=1.0.7 <=1.3.0)

@brikcss/merge NPM version =1.0.7, =0.0.15, =0.0.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.4, =0.0.1, =0.2.0, =0.10.0 Source cves: CVE-2026-6594 Source advisory: OSV:GHSA-3JC6-6R48-V6QF...

EUVD-2026-23742

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The...

GHSA-3JC6-6R48-V6QF Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

A Prototype Pollution vulnerability was determined in brikcss merge up to 1.3.0. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was...

Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

A Prototype Pollution vulnerability was determined in brikcss merge up to 1.3.0. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was...

CVE-2026-6594

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The...

CVE-2026-6594 brikcss merge prototype pollution

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The...

CVE-2026-6594 brikcss merge prototype pollution

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The...

PT-2026-33688

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument proto /constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The...

@brikcss/rollup-config-generator (>=0.0.15 <=0.0.16), @brikcss/stakcss (>=0.0.0 <=0.9.1) +9 more potentially affected by CVE-2026-6594 via @brikcss/merge (>=1.0.7 <=1.3.0)

@brikcss/merge NPM version =1.0.7, =0.0.15, =0.0.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.4, =0.0.1, =0.2.0, =0.10.0 Source cves: CVE-2026-6594 Source advisory: SNYK:JS-BRIKCSSMERGE-1727594...

Prototype Pollution

Overview @brikcss/merge is an Utility to perform a deep merge of a list of objects or arrays. Affected versions of this package are vulnerable to Prototype Pollution via the Merge function. PoC // PoC.js var merge = require"@brikcss/merge" var obj = var maliciouspayload = '"proto":"polluted":"Yes...