axios: Axios: HTTP Transport Hijacking via Prototype Pollution

A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HT...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the BaseHandler.set trap in lib/bridge.js. An attacker can mutate...

i18next-http-middleware 路径遍历漏洞

i18next-http-middleware is an open-source HTTP internationalization middleware for Node.js and Deno by i18next. Versions of i18next-http-middleware prior to 3.9.3 had a path traversal vulnerability. This vulnerability stemmed from unvalidated entry points in the getResourcesHandler and...

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios from 1.0.0 to 1.15.2 contained security vulnerabilities. These vulnerabilities stemmed from five configuration properties in the HTTP adapter being accessed directly through property access without the protection of...

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

CVE-2026-40190 LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...

CVE-2026-27125

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a...

CVE-2026-27125

Svelte SSR vulnerability CVE-2026-27125 affects the framework prior to version 5.51.5 where attribute spreading () enumerates inherited properties from the prototype chain, potentially leaking attributes or causing SSR failures when Object.prototype is polluted. Client-side rendering is unaffecte...

GHSA-95FF-46G6-6GW9 NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

Summary An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPERADMIN authorization...

EUVD-2021-1982

Malware in sbrugna...

EUVD-2022-24827

Malicious code in bioql PyPI...

RHEL 8 : jquery (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jquery: Untrusted code execution via tag in HTML passed to DOM manipulation methods CVE-2020-11023 - jQue...

CVE-2023-46308

In Plotly plotly.js before 2.25.2, plot API calls have a risk of proto being polluted in expandObjectPaths or nestedProperty...

CVE-2022-21803

A flaw was found in the nconf library when setting the configuration properties. This flaw allows an attacker to provide a crafted property, leading to prototype object pollution...

CVE-2021-23442

This affects all versions of package @cookiex/deep. The global proto object can be polluted using the proto object...

Code injection

This affects all versions of package @cookiex/deep. The global proto object can be polluted using the proto object...

CVE-2021-23442

The CVE-2021-23442 issue affects the npm package @cookiex/deep, where the global Object proto can be polluted via proto . The root cause is prototype pollution in the library, impacting all versions prior to 0.0.7. Documented references (GHSA, OSV, Veracode, NVD) indicate high impact with potenti...

Design/Logic Flaw

This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function...