CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant properties. An attacker can cause affected message or service types to become unusable, resulting in denial of servic...

GHSA-F38Q-MGVJ-VPH7 protobufjs : Schema-derived names can shadow runtime-significant properties

Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service...

protobufjs : Schema-derived names can shadow runtime-significant properties

Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service...

Improper Check for Unusual or Exceptional Conditions

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant...

PT-2026-49584

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 8.6.0 protobufjs versions prior to 7.6.3 Description protobufjs accepts certain schema-derived names that collide with properties used by runtime helpers. Specifically, this occurs with fields named hasOwnProperty,...

CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

Axios 注入漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios from 1.15.2 to 1.16.0 had a injection vulnerability. This vulnerability stemmed from the lack of hasOwnProperty checks on nested objects created by the utils.merge function. This could lead to prototype pollution and...

@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty

Summary The copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys proto, constructor, prototype. This allows an attacker to pollute the prototype chain of all objects in the...

PT-2026-42651

Summary The copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys proto , constructor, prototype. This allows an attacker to pollute the prototype chain of all objects in the...

CVE-2026-42264

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to missing hasOwnProperty checks when reading object properties, which allows an attacker to exploit polluted prototypes to intercept and modify JSON responses or hijack HTTP transport, gaining access to sensitive request data...

CVE-2026-42033

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...

Arbitrary Code Execution

SandboxJS is vulnerable to a sandbox escape vulnerability. The vulnerability is due to inconsistent key validation during property access, where the key is sanitized using hasOwnPropertykey but not strictly enforced as a string, allowing attackers to supply crafted objects that coerce to differen...

CVE-2026-25586

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties,...

CVE-2026-25586

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties,...

CVE-2026-25586

SandboxJS (JavaScript sandboxing library) is affected by a sandbox-escape vulnerability prior to version 0.8.29. The flaw allows shadowing hasOwnProperty on a sandbox object, disabling prototype whitelist enforcement in the property-access path. This enables direct access to proto and other block...

CVE-2026-25586 SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties,...

EUVD-2026-5592

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties,...

CVE-2026-25586

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties,...