CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...

CVE-2026-25150

CVE-2026-25150 affects @builder.io/qwik-city middleware in Qwik. The formToObj() function improperly handles field names with dot notation (e.g., user.name), failing to sanitize dangerous property names such as proto , constructor, and prototype. This prototype pollution allows unauthenticated at...

Prototype Pollution via FormData Processing in Qwik City

Summary A Prototype Pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails to sanitize dangerous property names like proto, constructor, and...

PT-2026-6499

Summary A Prototype Pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails to sanitize dangerous property names like proto , constructor, and...

EUVD-2007-5752

Malware in sbrugna...

Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time

Summary An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it i...

Prototype Pollution

Overview shvl is a Get and set dot-notated properties within an object Affected versions of this package are vulnerable to Prototype Pollution due to an incomplete fix not protecting against the constructor.prototype vector. PoC js var shvl = require"shvl" let obj = console.log"Before: " +...

Prototype Pollution in acstll/deep-get-set

Description deep-set-get is a Set and get values on objects via dot-notation strings. This package is vulnerable to prototype pollution. POC const deep = require'deep-get-set'; deep,'proto','polluted',true; console.logpolluted;...

Prototype Pollution

Overview eivindfjeldstad-dot is a module that Gets and sets object properties with dot notation. Note: this package has been deprecated and moved into @eivifj/dot. Affected versions of this package are vulnerable to Prototype Pollution. The function set could be tricked into adding or modifying...

Prototype Pollution

Overview @eivifj/dot is a module that gets and sets object properties with dot notation. Affected versions of this package are vulnerable to Prototype Pollution. The function set could be tricked into adding or modifying properties of Object.prototype using a proto payload. PoC var a =...

[SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31

Create nested values and any intermediaries using dot notation a.b.c path s...

[SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30

Create nested values and any intermediaries using dot notation a.b.c path s...

Protected files access in LilHTTP

By using ./ and ../ it's possible to access any files...