What is CVE-2026-35209?

CVE-2026-35209 is a high-severity vulnerability in Unjs Defu, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 7.5/10. Published 2026-04-06.

How severe is CVE-2026-35209?

High severity. CVSS v3 base score is 7.5 out of 10.

Prototype Pollution in Unjs Defu

CVE-2026-35209

defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) a…

Vulnerability class: Prototype Pollution

EPSS: 0.000 (5.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Unjs Defu — versions < 6.1.5

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878 (x_refsource_CONFIRM, Mitigation, Vendor Advisory)
https://github.com/unjs/defu/pull/156 (Patch, x_refsource_MISC, Issue Tracking)
https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29 (Patch, x_refsource_MISC)
https://github.com/unjs/defu/releases/tag/v6.1.5 (x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-35209?: CVE-2026-35209 is a high-severity vulnerability in Unjs Defu, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 7.5/10. Published 2026-04-06.
How severe is CVE-2026-35209?: High severity. CVSS v3 base score is 7.5 out of 10.