CWE-1321 · Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
510 CVEs classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-44005 | Critical | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forw… |
CVE-2026-25142 | Critical | 10.0 | 2026-02-02 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, whi… |
CVE-2024-39008 | Critical | 10.0 | 2024-07-01 | robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute a… |
CVE-2024-38999 | Critical | 10.0 | 2024-07-01 | jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execut… |
CVE-2022-29823 | Critical | 10.0 | 2022-10-26 | Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RC… |
CVE-2022-24760 | Critical | 10.0 | 2022-03-12 | Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This… |
CVE-2020-12079 | Critical | 10.0 | 2020-04-23 | Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefo… |
CVE-2026-44791 | Critical | 9.9 | 2026-06-23 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows… |
CVE-2026-44789 | Critical | 9.9 | 2026-06-23 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows… |
CVE-2026-49252 | Critical | 9.9 | 2026-06-18 | deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to… |
CVE-2026-32621 | Critical | 9.9 | 2026-03-16 | Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability… |
CVE-2025-25015 | Critical | 9.9 | 2025-03-05 | Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0… |
CVE-2025-63704 | Critical | 9.8 | 2026-05-07 | NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges th… |
CVE-2025-63703 | Critical | 9.8 | 2026-05-07 | npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). |
CVE-2026-33994 | Critical | 9.8 | 2026-03-27 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototy… |
CVE-2026-33993 | Critical | 9.8 | 2026-03-27 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus… |
CVE-2026-33228 | Critical | 9.8 | 2026-03-20 | flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as di… |
CVE-2026-29063 | Critical | 9.8 | 2026-03-06 | Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via th… |
CVE-2026-28794 | Critical | 9.8 | 2026-03-06 | oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerabili… |
CVE-2026-26021 | Critical | 9.8 | 2026-02-11 | set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=… |