CWE-1321 · Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

510 CVEs classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)). Browse by severity and year.

Top CVEs for CWE-1321
CVESeverityScorePublishedSummary
CVE-2026-44005Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forw…
CVE-2026-25142Critical10.02026-02-02SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, whi…
CVE-2024-39008Critical10.02024-07-01robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute a…
CVE-2024-38999Critical10.02024-07-01jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execut…
CVE-2022-29823Critical10.02022-10-26Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RC…
CVE-2022-24760Critical10.02022-03-12Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This…
CVE-2020-12079Critical10.02020-04-23Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefo…
CVE-2026-44791Critical9.92026-06-23n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows…
CVE-2026-44789Critical9.92026-06-23n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows…
CVE-2026-49252Critical9.92026-06-18deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to…
CVE-2026-32621Critical9.92026-03-16Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability…
CVE-2025-25015Critical9.92025-03-05Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0…
CVE-2025-63704Critical9.82026-05-07NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges th…
CVE-2025-63703Critical9.82026-05-07npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
CVE-2026-33994Critical9.82026-03-27Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototy…
CVE-2026-33993Critical9.82026-03-27Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus…
CVE-2026-33228Critical9.82026-03-20flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as di…
CVE-2026-29063Critical9.82026-03-06Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via th…
CVE-2026-28794Critical9.82026-03-06oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerabili…
CVE-2026-26021Critical9.82026-02-11set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=…