CWE-1321: Prototype Pollution — known CVE vulnerabilities
CVEs classified under CWE-1321 (Prototype Pollution), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-25142 — CVSS 10.0 (critical): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to…
CVE-2024-39008 — CVSS 10.0 (critical): robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows…
CVE-2024-38999 — CVSS 10.0 (critical): jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows…
CVE-2022-29823 — CVSS 10.0 (critical): Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a…
CVE-2022-24760 — CVSS 10.0 (critical): Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in…
CVE-2020-12079 — CVSS 10.0 (critical): Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is…
CVE-2026-44791 — CVSS 9.9 (critical): n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create…
CVE-2026-44789 — CVSS 9.9 (critical): n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create…
CVE-2026-49252 — CVSS 9.9 (critical): deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to…
CVE-2026-32621 — CVSS 9.9 (critical): Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and…
CVE-2025-25015 — CVSS 9.9 (critical): Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana…
CVE-2025-63704 — CVSS 9.8 (critical): NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query…
CVE-2026-33994 — CVSS 9.8 (critical): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to…
CVE-2026-33993 — CVSS 9.8 (critical): Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()`…
CVE-2026-33228 — CVSS 9.8 (critical): flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from…
CVE-2026-29063 — CVSS 9.8 (critical): Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible…
CVE-2026-28794 — CVSS 9.8 (critical): oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype…
CVE-2026-26021 — CVSS 9.8 (critical): set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the…
CVE-2025-66456 — CVSS 9.8 (critical): Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions…
CVE-2025-57321 — CVSS 9.8 (critical): A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to…
CVE-2025-57347 — CVSS 9.8 (critical): A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function…
CVE-2011-10019 — CVSS 9.8 (critical): Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails…
CVE-2025-49223 — CVSS 9.8 (critical): billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to…
CVE-2024-38988 — CVSS 9.8 (critical): alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This…
CVE-2024-38985 — CVSS 9.8 (critical): janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn…
CVE-2024-24292 — CVSS 9.8 (critical): A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js…
CVE-2025-25977 — CVSS 9.8 (critical): An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
CVE-2024-56059 — CVSS 9.8 (critical): Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners…
CVE-2024-52441 — CVSS 9.8 (critical): Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn…
CVE-2024-38989 — CVSS 9.8 (critical): izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to…
CVE-2024-38983 — CVSS 9.8 (critical): Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS)…
CVE-2024-39012 — CVSS 9.8 (critical): ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows…
CVE-2024-39011 — CVSS 9.8 (critical): Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and…
CVE-2024-39010 — CVSS 9.8 (critical): chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability…
CVE-2024-38986 — CVSS 9.8 (critical): Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other…
CVE-2024-38984 — CVSS 9.8 (critical): Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via…
CVE-2024-36572 — CVSS 9.8 (critical): Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions…
CVE-2024-39014 — CVSS 9.8 (critical): ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to…
CVE-2024-39013 — CVSS 9.8 (critical): 2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute…
CVE-2024-38996 — CVSS 9.8 (critical): ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function…
CVE-2024-36573 — CVSS 9.8 (critical): almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce…
CVE-2024-36582 — CVSS 9.8 (critical): alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)
CVE-2024-30564 — CVSS 9.8 (critical): An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted…
CVE-2024-29650 — CVSS 9.8 (critical): An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe…
CVE-2024-27307 — CVSS 9.8 (critical): JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression…
CVE-2023-46308 — CVSS 9.8 (critical): In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.