453 matches found
DEBIAN-CVE-2026-29063
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5...
Immutable collections for JavaScript 安全漏洞
Immutable Collections for JavaScript is an open-source immutable data collection library developed by Immutable.js. There were security vulnerabilities in versions prior to 3.8.3, 4.3.7, and 5.1.5 of Immutable Collections for JavaScript. These vulnerabilities stemmed from prototype pollution issu...
GHSA-WF6X-7X77-MVGW Immutable is vulnerable to Prototype Pollution
Impact What kind of vulnerability is it? Who is impacted? A Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. Affected APIs | API | Notes | | --------------------------------------- |...
Immutable is vulnerable to Prototype Pollution
Impact What kind of vulnerability is it? Who is impacted? A Prototype Pollution is possible in immutable via the mergeDeep, mergeDeepWith, merge, Map.toJS, and Map.toObject APIs. Affected APIs | API | Notes | | --------------------------------------- |...
@brochington/ecstatic (=0.3.0), @dreamcatcher-tech/web (=0.0.0) +78 more potentially affected by CVE-2026-29063 via immutable (>=5.0.0 <=5.1.4)
immutable NPM version =5.0.0, =0.2.1, =0.0.9, =11.5.0, =1.6.0, =0.11.0, =11.5.0, =11.5.0, =11.5.0, =0.92.0, =0.0.0-ci.0a1b452, =0.0.0-ci.1e276ed, =0.0.0-ci.fd7cff6 and more Source cves: CVE-2026-29063 Source advisory: OSV:GHSA-WF6X-7X77-MVGW...
@0xgraph/cli (>=0.0.1 <=0.2.1), @actra-development-oss/redux-persistable (>=2.0.0 <=3.0.0) +653 more potentially affected by CVE-2026-29063 via immutable (>=4.0.0-rc.1 <=4.3.7)
immutable NPM version =4.0.0-rc.1, =0.0.1, =2.0.0, =0.2.1, =0.1.0, =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.0.1, =0.11.8-rc.0, =0.1.0, =0.3.3 - @alfresco/adf-testing =6.0.0-A.2-8258 - @alys-chain/graph-alys-cli =0.88.0 and more Source cves: CVE-2026-29063 Source advisory: SNYK:JS-IMMUTABLE-15423650...
org.webjars.npm:browser-sync-ui (=2.27.11), org.webjars.npm:bulma (=1.0.0) +21 more potentially affected by CVE-2026-29063 via org.webjars.npm:immutable (>=3.7.6 <=5.1.3)
org.webjars.npm:immutable MAVEN version =3.7.6, =0.7.0, =0.8.3, =0.8.4 - org.webjars.npm:flux =2.1.1 - org.webjars.npm:github-com-DataTables-DataTablesSrc =2.0.5 - org.webjars.npm:github-com-codeforms-Punica-CSS-Framework =3.0.0 - org.webjars.npm:github-com-digicorp-propeller =1.3.2 -...
-graphql-codegen-client-preset-swc-test (>=2.0.1 <=2.0.2), 01-test-button (>=1.0.0 <=1.0.2) +10983 more potentially affected by CVE-2026-29063 via immutable (>=3.0.1 <=3.8.2)
immutable NPM version =3.0.1, =2.0.1, =1.0.0, =0.0.2, =0.2.0, =2.0.0-rc3, =1.0.0, =1.0.0, =0.1.0, =4.2.1, =6.2.1, =13.6.1, =13.7.2 and more Source cves: CVE-2026-29063 Source advisory: SNYK:JS-IMMUTABLE-15423650...
@alessiodf/core-chameleon (=0.0.1), @arkecosystem/core (>=3.0.0-alpha.0 <=3.11.0-rc.1) +135 more potentially affected by CVE-2026-29063 via immutable (>=5.0.0-beta.2 <=5.1.4)
immutable NPM version =5.0.0-beta.2, =3.0.0-alpha.0, =3.0.0-alpha.0, =3.0.0-alpha.0, =3.0.0-alpha.0, =3.0.0, =3.0.0-alpha.6, =3.9.0, =3.0.0-alpha.0, =3.0.0-alpha.0, =0.1.0, =1.0.6 - @dreamcatcher-tech/web =0.0.0 and more Source cves: CVE-2026-29063 Source advisory: SNYK:JS-IMMUTABLE-15423650...
@0xgraph/cli (>=0.0.1 <=0.2.1), @actra-development-oss/redux-persistable (>=2.0.0 <=3.0.0) +653 more potentially affected by CVE-2026-29063 via immutable (>=4.0.0-rc.1 <=4.3.7)
immutable NPM version =4.0.0-rc.1, =0.0.1, =2.0.0, =0.2.1, =0.1.0, =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.0.1, =0.11.8-rc.0, =0.1.0, =0.3.3 - @alfresco/adf-testing =6.0.0-A.2-8258 - @alys-chain/graph-alys-cli =0.88.0 and more Source cves: CVE-2026-29063 Source advisory: OSV:GHSA-WF6X-7X77-MVGW...
-graphql-codegen-client-preset-swc-test (>=2.0.1 <=2.0.2), 01-test-button (>=1.0.0 <=1.0.2) +11002 more potentially affected by CVE-2026-29063 via immutable (>=2.0.17 <=3.8.2)
immutable NPM version =2.0.17, =2.0.1, =1.0.0, =0.0.2, =0.2.0, =2.0.0-rc3, =1.0.0, =1.0.0, =0.1.0, =4.2.1, =6.2.1, =13.6.1, =13.7.2 and more Source cves: CVE-2026-29063 Source advisory: OSV:GHSA-WF6X-7X77-MVGW...
PT-2026-23094
Name of the Vulnerable Software and Affected Versions Immutable.js versions prior to 3.8.3 Immutable.js versions prior to 4.3.7 Immutable.js versions prior to 5.1.5 Description A Prototype Pollution issue exists in Immutable.js through versions prior to 3.8.3, 4.3.7, and 5.1.5, specifically withi...
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.26 planned next npm release Impact A command...
GHSA-Q399-23R3-HFX4 OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
Summary For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv0 tokens for example tr. If PATH resolution changed after approval, execution could run a different binary. Impact A previously approved action could execute a different...
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
Summary For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv0 tokens for example tr. If PATH resolution changed after approval, execution could run a different binary. Impact A previously approved action could execute a different...
PT-2026-26237
Summary For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv0 tokens for example tr. If PATH resolution changed after approval, execution could run a different binary. Impact A previously approved action could execute a different...