GHSA-MHWJ-73QX-JQXM @theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function

Summary @theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge function. An attacker who controls the source object can inject proto keys that mutate Object.prototype, affecting all objects in the Node.js runtime. Details The deepMerge function...

GHSA-XGX4-2WGV-4JHM PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

Summary The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the...

GHSA-62F6-MRCJ-V8H5 OpenClaw's runtime /debug override path accepted prototype-reserved keys

Summary OpenClaw accepted prototype-reserved keys in runtime /debug set override object values proto, constructor, prototype. Impact /debug is disabled by default, and exploitation requires an already authorized /debug set caller. No unauthenticated vector was identified. This issue affects runti...

PT-2026-26018

Summary OpenClaw accepted prototype-reserved keys in runtime /debug set override object values proto , constructor, prototype. Impact /debug is disabled by default, and exploitation requires an already authorized /debug set caller. No unauthenticated vector was identified. This issue affects...

Prototype Pollution

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Prototype Pollution via the deepMerge function in utils/dataUtils.ts file. An attacker can cause all database write operations to fail application-wide until the server is restarted by sending crafted requests to this...

PT-2025-5755 · Unknown · @Zag-Js/Core

Name of the Vulnerable Software and Affected Versions: @zag-js/core version 0.50.0 Description: A prototype pollution issue in the lib.deepMerge function allows attackers to cause a Denial of Service DoS by supplying a crafted payload. Recommendations: For @zag-js/core version 0.50.0, consider...

@75lb/deep-merge Prototype Pollution vulnerability

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

GHSA-28MC-G557-92M7 @75lb/deep-merge Prototype Pollution vulnerability

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

CVE-2024-38986

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

CVE-2024-38986

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

CVE-2024-38986

CVE-2024-38986 ffects 75lb deep-merge 1.1.1. A prototype-pollution flaw in lodash merge methods could allow an attacker to alter Object.prototype and potentially execute arbitrary code or cause a Denial of Service (DoS). The connected documents consistently describe Prototype Pollution in 75lb de...

CVE-2024-38986

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

CVE-2024-38986

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

@75lb/deep-merge Prototype Pollution vulnerability

Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service DoS and cause other impacts via merge methods of lodash to merge objects...

PT-2024-28302 · Lodash +1 · Lodash +1

Name of the Vulnerable Software and Affected Versions: 75lb deep-merge version 1.1.1 Description: The issue allows attackers to execute arbitrary code or cause a Denial of Service DoS and have other impacts via merge methods of lodash to merge objects. This is due to Prototype Pollution in the...

Prototype Pollution

Overview putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge. Affected versions of this package are vulnerable to Prototype Pollution. The merge function does not check the values passed into the argument. An attacker can supply a malicious val...

GHSA-H68Q-55JF-X68W Prototype pollution in chart.js

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options or the defaults options are deeply merged with provided options. However, during this operation, the keys of the object being...

UBUNTU-CVE-2020-7746

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options or the defaults options are deeply merged with provided options. However, during this operation, the keys of the object being...

CVE-2020-7746

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options or the defaults options are deeply merged with provided options. However, during this operation, the keys of the object being...