OsVault/npm/Proto
npm127 critical

Proto

492 known vulnerabilities · 127 critical · 123 high

CVE-2021-23426MEDIUM

Prototype Pollution in Proto

Published Sep 2, 2021
CVE-2019-18841HIGH

Prototype Pollution in chartkick

Published Dec 2, 2019
CVE-2020-7704CRITICAL

linux-cmdline is vulnerable to Prototype Pollution via the constructor

Published May 24, 2022
CVE-2023-26135HIGH

flatnest Prototype Pollution vulnerability

Published Jun 30, 2023
CVE-2025-13204

expr-eval vulnerable to Prototype Pollution

Published Nov 14, 2025
CVE-2022-25645MEDIUM

Prototype Pollution in dset

Published May 3, 2022
CVE-2021-23328MEDIUM

Prototype Pollution in iniparserjs

Published Apr 13, 2021
CVE-2025-57354

counterpart vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2021-23440HIGH

Prototype Pollution in set-value

Published Sep 13, 2021
CVE-2021-23558HIGH

Prototype Pollution in bmoor

Published Feb 1, 2022
CVE-2026-3635

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

Published Mar 25, 2026
CVE-2022-39396CRITICAL

Remote code execution via MongoDB BSON parser through prototype pollution

Published Nov 8, 2022
CVE-2023-6293HIGH

sequelize-typescript Prototype Pollution vulnerability

Published Nov 24, 2023
CVE-2022-41878HIGH

Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers

Published Nov 9, 2022
CVE-2018-3722HIGH

Prototype Pollution in merge-deep

Published Jul 26, 2018
CVE-2018-16491CRITICAL

Prototype Pollution in node.extend

Published Feb 7, 2019
CVE-2024-21505HIGH

web3-utils Prototype Pollution vulnerability

Published Mar 27, 2024
CVE-2022-37623CRITICAL

thlorenz browserify-shim vulnerable to prototype pollution

Published Oct 31, 2022
CVE-2025-57329

web3-core-method is vulnerable to prototype pollution

Published Sep 24, 2025
MAL-2025-9264

Malicious code in @protos-team/frontend-server (npm)

Published Aug 14, 2025
CVE-2025-8101

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

Published Jul 26, 2025
CVE-2020-7617MEDIUM

Prototype Pollution in ini-parser

Published Jun 10, 2020
CVE-2021-25913CRITICAL

Prototype Pollution in set-or-get

Published Apr 12, 2021
CVE-2023-46308CRITICAL

plotly.js prototype pollution vulnerability

Published Jan 3, 2024
CVE-2016-10552HIGH

Resources Downloaded over Insecure Protocol in igniteui

Published Feb 18, 2019
CVE-2020-7639MEDIUM

eivindfjeldstad-dot contains prototype pollution vulnerability

Published May 25, 2021
CVE-2021-25916CRITICAL

Prototype pollution vulnerability in 'patchmerge'

Published Oct 13, 2021
CVE-2025-48054

radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Published May 27, 2025
CVE-2019-10795MEDIUM

Prototype Pollution in undefsafe

Published Feb 9, 2022
CVE-2026-25047

deepHas vulnerable to Prototype Pollution via constructor.prototype

Published Jan 29, 2026
CVE-2020-7725CRITICAL

Prototype Pollution in worksmith

Published May 6, 2021
CVE-2021-25946CRITICAL

Prototype pollution in nconf-toml

Published Jun 7, 2021
CVE-2018-16487MEDIUM

Prototype Pollution in lodash

Published Feb 7, 2019
CVE-2020-28280CRITICAL

Prototype pollution vulnerability in 'predefine'

Published Oct 12, 2021
GHSA-mwv9-gp5h-frr4

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

Published Mar 12, 2026
CVE-2018-16486CRITICAL

Prototype Pollution in defaults-deep

Published Feb 7, 2019
CVE-2018-3752CRITICAL

Prototype Pollution in merge-options

Published Oct 9, 2018
CVE-2020-28450HIGH

Prototype Pollution in decal

Published Apr 13, 2021
CVE-2026-34767MEDIUM
Risk: 29.51/100

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Published Apr 3, 2026
CVE-2025-57320

json-schema-editor-visual vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2022-37257CRITICAL

steal vulnerable to Prototype Pollution via requestedVersion variable

Published Sep 16, 2022
CVE-2025-25977

canvg Prototype Pollution vulnerability

Published Mar 10, 2025
CVE-2021-23434MEDIUM

Prototype Pollution in object-path

Published Sep 1, 2021
CVE-2024-57066

@ndhoule/defaults prototype pollution

Published Feb 6, 2025
CVE-2026-34773MEDIUM
Risk: 23.51/100

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Published Apr 3, 2026
CVE-2022-29823CRITICAL

Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution

Published Oct 26, 2022
CVE-2023-28103HIGH

Prototype pollution in matrix-react-sdk

Published Mar 29, 2023
CVE-2024-38987MEDIUM

@aofl/cli-lib Prototype Pollution vulnerability

Published Jul 1, 2024
CVE-2020-24939HIGH

Prototype pollution in supermixer

Published Dec 10, 2021
CVE-2022-25907HIGH

ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

Published Aug 10, 2022
CVE-2021-40663CRITICAL

Prototype Pollution in deep.assign

Published Jul 1, 2022
CVE-2020-28460MEDIUM

Prototype pollution in multi-ini

Published Apr 13, 2021
CVE-2021-23561MEDIUM

Prototype Pollution in comb

Published Dec 16, 2021
CVE-2020-7715CRITICAL

Prototype Pollution in deep-get-set

Published May 6, 2021
CVE-2020-26245HIGH

Prototype Pollution in systeminformation

Published Nov 27, 2020
CVE-2020-7699HIGH

Prototype Pollution in express-fileupload

Published Aug 5, 2020
CVE-2024-39008CRITICAL

robinweser fast-loops vulnerable to prototype pollution

Published Jul 1, 2024
GHSA-w48f-fwg7-ww6p

@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding

Published Apr 4, 2026
CVE-2020-28283CRITICAL

Prototype pollution vulnerability in 'libnested'

Published Oct 12, 2021
GHSA-45q2-gjvg-7973

Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Published Apr 16, 2026
CVE-2026-33994

Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Published Mar 27, 2026
CVE-2021-23497HIGH

Prototype Pollution in @strikeentco/set

Published Feb 5, 2022
CVE-2026-33993

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Published Mar 27, 2026
CVE-2021-23383MEDIUM

Prototype Pollution in handlebars

Published Feb 10, 2022
CVE-2022-1243MEDIUM

Incorrect protocol extraction via \r, \n and \t characters

Published Apr 6, 2022
CVE-2026-29063

Immutable is vulnerable to Prototype Pollution

Published Mar 4, 2026
CVE-2020-7702CRITICAL

Prototype Pollution in templ8

Published May 6, 2021
CVE-2020-36604HIGH

hoek subject to prototype pollution via the clone function.

Published Sep 25, 2022
CVE-2024-38996CRITICAL

Prototype pollution in ag-grid-community via the _.mergeDeep function

Published Jul 1, 2024
CVE-2026-27125

Svelte SSR attribute spreading includes inherited properties from prototype chain

Published Feb 19, 2026
CVE-2020-8147CRITICAL

Prototype Pollution

Published Sep 3, 2020
CVE-2021-23509MEDIUM

Prototype Pollution in json-ptr

Published Nov 8, 2021
CVE-2021-23421MEDIUM

Prototype Pollution in merge-change

Published Sep 1, 2021
CVE-2021-20085HIGH

Prototype Pollution in backbone-query-parameters

Published May 6, 2021
CVE-2018-16469HIGH

Prototype Pollution in merge

Published Nov 1, 2018
CVE-2021-23419HIGH

Prototype Pollution in open-graph

Published Sep 1, 2021
CVE-2019-10747CRITICAL

Prototype Pollution in set-value

Published Aug 27, 2019
CVE-2026-25142

SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE

Published Feb 2, 2026
CVE-2023-26920MEDIUM

fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

Published Jun 13, 2023
CVE-2026-34221CRITICAL
Risk: 45.53/100

MikroORM has Prototype Pollution in Utils.merge

Published Mar 29, 2026
CVE-2023-26132HIGH

dottie vulnerable to Prototype Pollution

Published Jun 10, 2023
CVE-2022-25352HIGH

Prototype Pollution in libnested

Published Mar 18, 2022
CVE-2020-7641MEDIUM

grunt-util-property 0.0.2 function call can add/modify properties of Object.prototype using a __proto__ payload

Published Jul 18, 2022
CVE-2021-23682HIGH

Prototype Pollution in litespeed.js and appwrite/server-ce

Published Feb 17, 2022
CVE-2025-31475

tarteaucitron.js allows prototype pollution via custom text injection

Published Apr 7, 2025
CVE-2022-37614CRITICAL

mockery is vulnerable to prototype pollution

Published Oct 12, 2022
CVE-2020-28281CRITICAL

Prototype pollution in set-object-value

Published Apr 13, 2021
CVE-2024-38999CRITICAL

jrburke requirejs vulnerable to prototype pollution

Published Jul 1, 2024
CVE-2020-28448MEDIUM

Prototype Pollution in multi-ini

Published Apr 13, 2021
CVE-2021-4264MEDIUM

dustjs-linkedin vulnerable to Prototype Pollution

Published Dec 21, 2022
CVE-2021-21297HIGH

Prototype Pollution in Node-Red

Published Feb 26, 2021
CVE-2018-16490HIGH

Prototype Pollution in mpath

Published Feb 7, 2019
CVE-2022-46175HIGH

Prototype Pollution in JSON5 via Parse Method

Published Dec 29, 2022
CVE-2021-44906CRITICAL

Prototype Pollution in minimist

Published Mar 18, 2022
CVE-2025-3193

algoliasearch-helper is vulnerable to Prototype Pollution in _merge()

Published Sep 27, 2025
CVE-2021-25915CRITICAL

Changeset vulnerable to prototype pollution

Published May 24, 2022
CVE-2021-25949CRITICAL

set-getter Prototype Pollution Vulnerability

Published Jun 21, 2021
CVE-2026-25754

AdonisJS multipart body parsing has Prototype Pollution issue

Published Feb 6, 2026
CVE-2023-30363CRITICAL

Prototype Pollution in vConsole

Published Apr 26, 2023
CVE-2020-7719CRITICAL

Prototype Pollution in locutus

Published May 6, 2021
CVE-2020-7700CRITICAL

Prototype Pollution in phpjs

Published May 6, 2021
CVE-2026-23736

seroval Affected by Prototype Pollution via JSON Deserialization

Published Jan 21, 2026
GHSA-5c6j-r48x-rmvq

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

Published Feb 28, 2026
CVE-2020-28478HIGH

Prototype pollution in gsap

Published Jan 20, 2021
GHSA-xq3m-2v4x-88gg

Arbitrary code execution in protobufjs

Published Apr 16, 2026
CVE-2023-38894CRITICAL

tree-kit Prototype Pollution vulnerability

Published Aug 17, 2023
CVE-2022-21231HIGH

Prototype Pollution in deep-get-set

Published Jun 25, 2022
CVE-2020-28499HIGH

Prototype Pollution in merge

Published May 4, 2021
CVE-2026-27524

OpenClaw's runtime /debug override path accepted prototype-reserved keys

Published Mar 3, 2026
CVE-2020-7792HIGH

Prototype Pollution in mout

Published Feb 9, 2022
CVE-2019-10744CRITICAL

Prototype Pollution in lodash

Published Jul 10, 2019
CVE-2020-7721CRITICAL

Prototype Pollution in node-oojs

Published May 6, 2021
CVE-2026-30939

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Published Mar 10, 2026
CVE-2025-57330

web3-core-subscriptions has a Prototype Pollution vulnerability

Published Sep 24, 2025
CVE-2025-57348

node-cube vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2020-8268HIGH

Prototype pollution in json8-merge-patch

Published May 10, 2021
CVE-2025-62381

`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

Published Oct 15, 2025
CVE-2020-28268HIGH

Prototype pollution in controlled-merge

Published May 18, 2021
CVE-2020-7771HIGH

Prototype Pollution in asciitable.js

Published Apr 13, 2021
CVE-2021-23442HIGH

Prototype Pollution in cookiex/deep

Published Sep 20, 2021
CVE-2020-7637MEDIUM

Prototype pollution in class-transformer

Published Apr 7, 2020
CVE-2022-25354HIGH

Prototype Pollution in set-in

Published Mar 18, 2022
CVE-2020-7770MEDIUM

Prototype pollution in json8

Published May 10, 2021
CVE-2021-23543CRITICAL

Prototype Pollution in realms-shim

Published Jan 13, 2022
CVE-2020-7717CRITICAL

Prototype Pollution in dot-notes

Published May 6, 2021
CVE-2020-28273CRITICAL

Prototype pollution in set-in

Published Mar 19, 2021
CVE-2020-7726CRITICAL

Prototype Pollution in safe-object2

Published May 6, 2021
CVE-2026-22686

enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain

Published Jan 14, 2026
MAL-2025-3940

Malicious code in human-protocol (npm)

Published May 18, 2025
CVE-2020-28462HIGH

ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`

Published Jul 26, 2022
CVE-2021-26707CRITICAL

Prototype pollution in Merge-deep

Published Jun 7, 2021
CVE-2022-37621CRITICAL

thlorenz browserify-shim vulnerable to prototype pollution

Published Oct 29, 2022
CVE-2020-7768HIGH

Prototype pollution in grpc and @grpc/grpc-js

Published May 10, 2021
CVE-2022-37611CRITICAL

tschaub gh-pages vulnerable to prototype pollution

Published Oct 12, 2022
CVE-2022-36059HIGH

matrix-js-sdk Prototype Pollution vulnerability

Published Mar 28, 2023
CVE-2022-41713MEDIUM

deep-object-diff vulnerable to Prototype Pollution

Published Nov 4, 2022
CVE-2025-49223

billboard.js allows prototype pollution via the function generate

Published Jun 4, 2025
CVE-2023-26102HIGH

rangy vulnerable to Prototype Pollution

Published Feb 24, 2023
CVE-2026-32878

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Published Mar 17, 2026
CVE-2018-3738MEDIUM

Denial of Service in protobufjs

Published Oct 9, 2018
CVE-2022-37601CRITICAL

Prototype pollution in webpack loader-utils

Published Oct 13, 2022
CVE-2021-23448MEDIUM

Prototype Pollution in config-handler

Published Oct 12, 2021
CVE-2021-23820MEDIUM

Prototype Pollution in json-pointer

Published Nov 8, 2021
CVE-2019-10745HIGH

assign-deep Vulnerable to Prototype Pollution

Published Aug 21, 2019
CVE-2018-16489CRITICAL

Prototype Pollution in just-extend

Published Feb 7, 2019
CVE-2021-23760MEDIUM

Prototype Pollution in keyget

Published Feb 1, 2022
CVE-2025-57324

parse is vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2025-57327

spmrc vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2020-28277CRITICAL

dset vulnerable to prototype pollution

Published May 24, 2022
CVE-2025-61140

JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js

Published Jan 28, 2026
CVE-2022-21189HIGH

Prototype Pollution in Dexie

Published May 3, 2022
CVE-2020-28495HIGH

Prototype pollution in total.js

Published Feb 5, 2021
CVE-2020-7707CRITICAL

Prototype Pollution in property-expr

Published May 6, 2021
CVE-2021-21304HIGH

Prototype Pollution in Dynamoose

Published Feb 8, 2021
CVE-2026-25521

locutus is vulnerable to Prototype Pollution

Published Feb 2, 2026
CVE-2021-25952CRITICAL

Prototype polluation in just-safe-set

Published Dec 10, 2021
CVE-2021-3815CRITICAL

Prototype Pollution in @fabiocaccamo/utils.js

Published Dec 10, 2021
CVE-2022-24802HIGH

Prototype Pollution in deepmerge-ts

Published Apr 1, 2022
CVE-2020-28449HIGH

Prototype Pollution in decal

Published Apr 13, 2021
MAL-2022-269

Malicious code in @feiprotocol/fei-protocol-core (npm)

Published Jun 20, 2022
CVE-2021-23433MEDIUM

Prototype Pollution in algoliasearch-helper

Published Nov 23, 2021
CVE-2025-13158

apidoc-core has a prototype pollution vulnerability

Published Dec 26, 2025
CVE-2021-25941CRITICAL

Prototype Pollution in deep-override

Published May 17, 2021
CVE-2020-28477HIGH

Prototype Pollution in immer

Published Jan 20, 2021
CVE-2022-21803HIGH

Prototype Pollution in nconf

Published Apr 13, 2022
CVE-2023-26136MEDIUM

tough-cookie Prototype Pollution vulnerability

Published Jul 1, 2023
CVE-2026-35209HIGH
Risk: 50.4/100

defu: Prototype pollution via `__proto__` key in defaults argument

Published Apr 4, 2026
CVE-2022-37265CRITICAL

steal vulnerable to Prototype Pollution via alias variable

Published Sep 21, 2022
CVE-2020-7748MEDIUM

Prototype pollution in @tsed/core

Published May 10, 2021
CVE-2021-43787CRITICAL

XSS via prototype pollution in NodeBB

Published Nov 30, 2021
GHSA-wv67-q8rr-grjp

Duplicate Advisory: Prototype Pollution in jquery

Published Apr 23, 2019
CVE-2020-28274CRITICAL

Prototype pollution vulnerability in 'deepref'

Published Oct 12, 2021
CVE-2025-68130

tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Published Dec 16, 2025
CVE-2018-3720HIGH

Prototype Pollution in assign-deep

Published Jul 26, 2018
CVE-2020-28276CRITICAL

Prototype pollution vulnerability in 'deep-set'

Published May 24, 2022
CVE-2024-57083

Redoc Prototype Pollution via `Module.mergeObjects` Component

Published Mar 28, 2025
GHSA-7rx3-28cr-v5wh

Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry

Published Mar 29, 2026
GHSA-xrxf-jgv3-qmrm

OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files

Published Apr 14, 2026
CVE-2025-13465

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

Published Jan 21, 2026
CVE-2021-23574HIGH

Prototype Pollution in js-data

Published Jan 6, 2022
CVE-2026-33864

Convict has Prototype Pollution via startsWith() function

Published Mar 26, 2026
CVE-2019-10768HIGH

angular Prototype Pollution vulnerability

Published Nov 20, 2019
CVE-2022-37617CRITICAL

thlorenz browserify-shim vulnerable to prototype pollution

Published Oct 12, 2022
CVE-2020-28503HIGH

Prototype Pollution in copy-props

Published Jan 6, 2022
CVE-2023-26133HIGH

progressbar.js vulnerable to Prototype Pollution

Published Jun 12, 2023
CVE-2022-36060HIGH

matrix-react-sdk Prototype pollution vulnerability

Published Mar 28, 2023
CVE-2021-23395HIGH

Prototype Pollution in nedb

Published Jun 21, 2021
CVE-2021-23436MEDIUM

Prototype Pollution in immer

Published Sep 2, 2021
CVE-2021-25914CRITICAL

Prototype Pollution Vulnerability in object-collider

Published Mar 19, 2021
CVE-2021-25927CRITICAL

Prototype pollution in safe-flat

Published Jun 21, 2021
CVE-2026-25536

@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

Published Feb 4, 2026
CVE-2025-57328

toggle-array vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2026-30226

devalue has prototype pollution in devalue.parse and devalue.unflatten

Published Mar 12, 2026
CVE-2024-21489HIGH

uPlot Prototype Pollution vulnerability

Published Oct 1, 2024
MAL-2022-2462

Malicious code in dforce-protocol (npm)

Published Jun 20, 2022
CVE-2020-28272CRITICAL

keyget vulnerable to prototype pollution

Published May 24, 2022
GHSA-3jc6-6r48-v6qf

Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

Published Apr 20, 2026
CVE-2025-8083

Vuetify has a Prototype Pollution vulnerability

Published Dec 12, 2025
CVE-2021-44908CRITICAL

Prototype Pollution in Sails.js

Published Mar 18, 2022
CVE-2020-7706CRITICAL

Prototype Pollution in connie-lang

Published May 6, 2021
CVE-2020-7720CRITICAL

Prototype Pollution in node-forge

Published Sep 14, 2020
CVE-2020-28282CRITICAL

Prototype pollution in getobject

Published Oct 12, 2021
CVE-2026-24766

NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

Published Jan 28, 2026
CVE-2023-36475CRITICAL

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Published Jun 30, 2023
CVE-2020-28271CRITICAL

Prototype Pollution in deephas

Published Sep 24, 2021
CVE-2024-38985CRITICAL

depath and cool-path vulnerable to Prototype Pollution via `set()` Method

Published Mar 28, 2025
CVE-2018-1000118HIGH

Electron protocol handler browser vulnerable to Command Injection

Published Mar 26, 2018
CVE-2021-26505CRITICAL

MrSwitch hello.js vulnerable to prototype pollution

Published Aug 11, 2023
CVE-2022-25912HIGH

simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol

Published Dec 6, 2022
CVE-2026-31865

Elysia Cookie Value Prototype Pollution

Published Mar 17, 2026
CVE-2026-31860

Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check

Published Mar 12, 2026
CVE-2024-52809

vue-i18n has cross-site scripting vulnerability with prototype pollution

Published Dec 2, 2024
CVE-2023-45827HIGH

Prototype Pollution(PP) vulnerability in setByPath

Published Nov 3, 2023
CVE-2022-23631CRITICAL

Prototype Pollution leading to Remote Code Execution in superjson

Published Feb 9, 2022
MAL-2022-6451

Malicious code in tellar-protocol (npm)

Published Jun 20, 2022
CVE-2025-62374

Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Published Oct 14, 2025
CVE-2022-24723MEDIUM

Leading white space bypasses protocol validation

Published Mar 3, 2022
CVE-2024-21509MEDIUM

mysql2 vulnerable to Prototype Poisoning

Published Apr 10, 2024
GHSA-cj63-jhhr-wcxv

DOMPurify USE_PROFILES prototype pollution allows event handlers

Published Apr 3, 2026
CVE-2024-57086

node-opcua-alarm-condition prototype pollution vulnerability

Published Feb 6, 2025
CVE-2020-7714CRITICAL

Prototype Pollution in confucious

Published May 6, 2021
CVE-2024-57085

@stryker-mutator/util vulnerable to Prototype Pollution

Published Feb 6, 2025
CVE-2018-3751CRITICAL

Prototype Pollution in merge-recursive

Published Sep 18, 2018
GHSA-j452-xhg8-qg39

Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution

Published Apr 15, 2026
CVE-2025-57317

apidoc-core is vulnerable to prototype pollution

Published Sep 25, 2025
CVE-2020-7742HIGH

Prototype Pollution in simpl-schema

Published May 10, 2021
CVE-2022-0691CRITICAL

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Published Feb 22, 2022
CVE-2021-23624MEDIUM

Prototype Pollution in dotty

Published Nov 8, 2021
CVE-2024-30564CRITICAL

@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability

Published Apr 18, 2024
CVE-2025-34146

@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE

Published Jul 31, 2025
CVE-2020-7701CRITICAL

Prototype Pollution in madlib-object-utils

Published May 6, 2021
CVE-2021-23470HIGH

Prototype Pollution in putil-merge

Published Feb 5, 2022
CVE-2021-3645CRITICAL

merge vulnerable to Prototype Pollution

Published Sep 13, 2021
CVE-2020-15256HIGH

Prototype pollution in object-path

Published Oct 19, 2020
CVE-2025-64718

js-yaml has prototype pollution in merge (<<)

Published Nov 14, 2025
CVE-2021-25945CRITICAL

Prototype pollution vulnerability in js-extend

Published Jun 8, 2021
MAL-2025-191235

Malicious code in @ifelsedeveloper/protocol-contracts-svm-idl (npm)

Published Nov 24, 2025
CVE-2018-3721MEDIUM

Prototype Pollution in lodash

Published Jul 26, 2018
CVE-2021-25953CRITICAL

Prototype Pollution in putil-merge

Published Dec 10, 2021
CVE-2022-24760CRITICAL

Command injection in Parse Server through prototype pollution

Published Mar 11, 2022
CVE-2021-23329HIGH

Prototype pollution in nested-object-assign

Published Feb 1, 2021
CVE-2020-7774HIGH

Prototype Pollution in y18n

Published Mar 29, 2021
CVE-2025-28269

js-object-utilities Vulnerable to Prototype Pollution

Published Apr 7, 2025
CVE-2020-7638MEDIUM

confinit vulnerable to prototype pollution

Published Apr 7, 2020
CVE-2021-23444MEDIUM

Prototype Pollution in jointjs

Published Sep 22, 2021
CVE-2025-57321

magix-combine-ex vulnerable to prototype pollution

Published Sep 24, 2025
MAL-2024-10788

Malicious code in seatalk-protocol (npm)

Published Nov 16, 2024
CVE-2020-7772HIGH

Prototype Pollution in doc-path

Published May 10, 2021
CVE-2023-26158HIGH

mockjs vulnerable to Prototype Pollution via the Util.extend function

Published Dec 8, 2023
CVE-2021-39227MEDIUM

Prototype Pollution in the merge and clone helper methods

Published Sep 20, 2021
CVE-2020-7722CRITICAL

Prototype Pollution in nodee-utils

Published May 6, 2021
CVE-2020-7737HIGH

Prototype Pollution in safetydance

Published Feb 10, 2022
CVE-2024-27307CRITICAL

JSONata expression can pollute the "Object" prototype

Published Mar 4, 2024
CVE-2021-3766CRITICAL

objection.js Prototype Pollution vulnerability

Published Sep 7, 2021
CVE-2025-32014

estree-util-value-to-estree allows prototype pollution in generated ESTree

Published Apr 7, 2025
CVE-2020-7643MEDIUM

Prototype pollution in paypal-adaptive

Published Dec 10, 2021
CVE-2021-23373HIGH

set-deep-prop Prototype Pollution

Published Jul 26, 2022
CVE-2022-2564CRITICAL

automattic/mongoose vulnerable to Prototype pollution via Schema.path

Published Jul 29, 2022
CVE-2020-28270CRITICAL

Prototype pollution in object-hierarchy-access

Published Oct 12, 2021
MAL-2025-111

Malicious code in web-prototyping-tool (npm)

Published Jan 14, 2025
CVE-2022-42743MEDIUM

deep-parse-json vulnerable to Prototype Pollution

Published Nov 4, 2022
CVE-2025-57319

Withdrawn Advisory: fast-redact vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2024-36580CRITICAL

@cdr0/sg Prototype Pollution

Published Jun 17, 2024
CVE-2020-7718CRITICAL

Prototype Pollution in gammautils

Published May 6, 2021
CVE-2019-10746CRITICAL

Prototype Pollution in mixin-deep

Published Aug 27, 2019
CVE-2020-7751MEDIUM

Prototype pollution in pathval

Published Feb 10, 2022
CVE-2024-39018MEDIUM

@cat5th/key-serializer Prototype Pollution vulnerability

Published Jul 1, 2024
CVE-2025-57351

ts-fns has prototype pollution vulnerability

Published Sep 24, 2025
CVE-2026-25881

@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)

Published Feb 10, 2026
CVE-2021-25944CRITICAL

deep-defaults vulnerable to prototype pollution

Published May 24, 2022
CVE-2023-36665CRITICAL

protobufjs Prototype Pollution vulnerability

Published Jul 5, 2023
CVE-2021-20088HIGH

mootools-more vulnerable to prototype pollution

Published May 24, 2022
CVE-2022-24304

Mongoose Vulnerable to Prototype Pollution in Schema Object

Published Aug 27, 2022
CVE-2021-23432MEDIUM

Prototype Pollution in mootools

Published Sep 2, 2021
CVE-2022-37264CRITICAL

steal vulnerable to Prototype Pollution via optionName variable

Published Sep 16, 2022
CVE-2020-7708CRITICAL

Prototype Pollution in irrelon-path and @irrelon/path

Published May 6, 2021
CVE-2021-3805HIGH

Prototype Pollution in object-path

Published Sep 20, 2021
CVE-2022-41879HIGH

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Published Nov 10, 2022
GHSA-95h2-gj7x-gx9w

Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()

Published Apr 9, 2026
CVE-2020-36618MEDIUM

FurqanSoftware/node-whois vulnerable to Prototype Pollution

Published Dec 19, 2022
CVE-2022-26260CRITICAL

Prototype Pollution in simple-plist

Published Mar 23, 2022
CVE-2021-23568HIGH

Prototype Pollution in extend2

Published Jan 12, 2022
CVE-2021-21368MEDIUM

Prototype poisoning

Published Mar 12, 2021
CVE-2025-3197

expand-object Vulnerable to Prototype Pollution via the expand() Function

Published Apr 4, 2025
CVE-2023-3696CRITICAL

Mongoose Prototype Pollution vulnerability

Published Jul 17, 2023
MAL-2022-219

Malicious code in @dydxprotocol/perpetual (npm)

Published Sep 23, 2022
CVE-2022-37616CRITICAL

Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Published Oct 11, 2022
MAL-2025-2752

Malicious code in degate_protocols (npm)

Published Mar 28, 2025
CVE-2024-52810

@intlify/shared Prototype Pollution vulnerability

Published Dec 2, 2024
CVE-2018-3750CRITICAL

Prototype Pollution in deep-extend

Published Oct 9, 2018
CVE-2018-3723HIGH

Prototype Pollution in defaults-deep

Published Jul 26, 2018
CVE-2025-57350

CSVTOJSON has a prototype pollution vulnerability

Published Sep 24, 2025
CVE-2024-21529HIGH

dset Prototype Pollution vulnerability

Published Sep 11, 2024
CVE-2020-8116HIGH

dot-prop Prototype Pollution vulnerability

Published Jul 29, 2020
CVE-2018-3753CRITICAL

Prototype Pollution in async merge-object

Published Sep 18, 2018
MAL-2025-5787

Malicious code in lz-evm-protocol-v2 (npm)

Published Jul 3, 2025
GHSA-fw9q-39r9-c252

LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

Published Apr 10, 2026
CVE-2022-37602CRITICAL

Grunt-karma vulnerable to prototype pollution

Published Oct 14, 2022
CVE-2021-25928CRITICAL

Prototype pollution in safe-obj

Published Jun 21, 2021
CVE-2024-36582CRITICAL

object-deep-assign Prototype Pollution

Published Jun 17, 2024
CVE-2023-26139HIGH

underscore-keypath vulnerable to Prototype Pollution

Published Aug 1, 2023
CVE-2022-21169HIGH

express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute

Published Sep 27, 2022
MAL-2024-10321

Malicious code in appdynamics-protobuf (npm)

Published Nov 3, 2024
CVE-2021-25947CRITICAL

Prototype pollution in nestie

Published Jun 7, 2021
CVE-2020-28269CRITICAL

Prototype Pollution in field

Published Dec 10, 2021
CVE-2021-4307MEDIUM

Baobab vulnerable to Prototype Pollution

Published Jan 7, 2023
CVE-2020-7746HIGH

Prototype pollution in chart.js

Published May 10, 2021
CVE-2021-23507HIGH

Prototype Pollution in object-path-set

Published Feb 5, 2022
CVE-2018-16472HIGH

Prototype Pollution in cached-path-relative

Published Nov 7, 2018
CVE-2023-26121HIGH

safe-eval vulnerable to Prototype Pollution via the safeEval function

Published Apr 11, 2023
CVE-2024-38988CRITICAL

@alizeait/unflatto Prototype Pollution

Published Apr 1, 2025
CVE-2021-20083HIGH

jquery-plugin-query-object contains prototype pollution vulnerability

Published May 24, 2022
CVE-2023-26105HIGH

mde utilities contains Prototype Pollution

Published Feb 28, 2023
CVE-2019-10793MEDIUM

Prototype Pollution in dot-object

Published Feb 9, 2022
MAL-2025-4962

Malicious code in zora1abs-protoc01-sdk (npm)

Published Jun 15, 2025
CVE-2020-28442HIGH

Prototype Pollution in js-data

Published Feb 9, 2022
MAL-2025-3840

Malicious code in mozilla-protocol (npm)

Published May 15, 2025
MAL-2022-4276

Malicious code in legacycloudkitresolutionserviceprotocol (npm)

Published Jun 20, 2022
CVE-2026-33696

n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE

Published Mar 26, 2026
CVE-2021-23413MEDIUM

jszip Vulnerable to Prototype Pollution

Published Aug 10, 2021
CVE-2020-8203HIGH

Prototype Pollution in lodash

Published Jul 15, 2020
MAL-2026-1573

Malicious code in transform-proto-to-assign (npm)

Published Mar 16, 2026
CVE-2026-25586

@nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution

Published Feb 5, 2026
CVE-2020-7788HIGH

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Published Dec 10, 2020
CVE-2018-16492CRITICAL

Prototype Pollution in extend

Published Feb 7, 2019
CVE-2020-7703CRITICAL

Prototype Pollution in nis-utils

Published May 6, 2021
CVE-2024-57072

module-from-string prototype pollution

Published Feb 6, 2025
CVE-2020-5258HIGH

Prototype pollution in dojo

Published Mar 10, 2020
CVE-2026-35038
Risk: 0.03/100

Signal K Server: Arbitrary Prototype Read via `from` Field Bypass

Published Apr 3, 2026
CVE-2024-21548HIGH

Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo

Published Dec 18, 2024
CVE-2021-23702HIGH

Prototype Pollution in object-extend

Published Feb 19, 2022
CVE-2023-26045CRITICAL

Path traversal and code execution via prototype vulnerability

Published Jul 25, 2023
CVE-2026-28292

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE

Published Mar 10, 2026
CVE-2021-28860CRITICAL

Prototype Pollution in mixme

Published Feb 10, 2022
CVE-2020-28441HIGH

conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

Published Jul 26, 2022
CVE-2021-23403HIGH

Prototype Pollution in ts-nodash

Published Dec 10, 2021
CVE-2020-7716CRITICAL

Prototype Pollution in deeps

Published May 6, 2021
CVE-2020-28458HIGH

datatables.net vulnerable to Prototype Pollution due to incomplete fix

Published Dec 17, 2020
CVE-2020-7723CRITICAL

Prototype Pollution in promisehelpers

Published May 6, 2021
CVE-2023-26106HIGH

dot-lens vulnerable to Prototype Pollution

Published Mar 6, 2023
CVE-2021-23450HIGH

Prototype Pollution in dojo

Published Jan 5, 2022
CVE-2020-7608MEDIUM

yargs-parser Vulnerable to Prototype Pollution

Published Sep 4, 2020
GHSA-v8w9-8mx6-g223

Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Published Mar 11, 2026
MAL-2022-5490

Malicious code in protocol-http (npm)

Published Jun 20, 2022
CVE-2020-26237MEDIUM

Prototype Pollution in highlight.js

Published Nov 24, 2020
CVE-2020-7598MEDIUM

Prototype Pollution in minimist

Published Apr 3, 2020
CVE-2020-7713CRITICAL

Prototype Pollution in arr-flatten-unflatten

Published May 6, 2021
CVE-2021-32736HIGH

Prototype Pollution in think-helper

Published Jul 1, 2021
CVE-2021-23518HIGH

Prototype Pollution in cached-path-relative

Published Jan 27, 2022
CVE-2019-19919CRITICAL

Prototype Pollution in handlebars

Published Dec 26, 2019
CVE-2025-66414

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Published Dec 2, 2025
CVE-2022-25862MEDIUM

Prototype Pollution in sds

Published May 14, 2022
CVE-2021-25948CRITICAL

Prototype Pollution

Published Jun 21, 2021
CVE-2025-57318

csvjson vulnerable to prototype injection

Published Sep 24, 2025
CVE-2026-27837

dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()

Published Feb 26, 2026
CVE-2025-57325

rollbar vulnerable to prototype pollution

Published Oct 20, 2025
CVE-2020-28471HIGH

Properties-Reader before v2.2.0 vulnerable to prototype pollution

Published Jul 19, 2022
CVE-2020-28279CRITICAL

flattenizer vulnerable to prototype pollution

Published May 24, 2022
CVE-2022-21213HIGH

Prototype Pollution in mout

Published Jun 18, 2022
CVE-2025-26278

dref is vulnerable to prototype pollution

Published Sep 25, 2025
CVE-2022-22143HIGH

Prototype Pollution in convict

Published Apr 20, 2022
CVE-2021-3666CRITICAL

body-parser-xml vulnerable to Prototype Pollution

Published Sep 14, 2021
CVE-2026-33916

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Published Mar 26, 2026
GHSA-525j-hqq2-66r4

OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0

Published Apr 17, 2026
CVE-2026-32886

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

Published Mar 17, 2026
CVE-2026-25639

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Published Feb 9, 2026
CVE-2021-23452HIGH

Prototype Pollution in x-assign

Published Oct 21, 2021
CVE-2026-1774

CASL Ability is Vulnerable to Prototype Pollution

Published Feb 10, 2026
CVE-2021-41097CRITICAL

Prototype pollution in aurelia-path

Published Sep 27, 2021
CVE-2020-5259HIGH

Prototype Pollution in Dojox

Published Mar 10, 2020
CVE-2025-57326

sassdoc-extras vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2018-3719HIGH

Prototype Pollution in mixin-deep

Published Jul 26, 2018
CVE-2021-23397MEDIUM

@ianwalter/merge Prototype Pollution via `merge` function

Published Jul 26, 2022
CVE-2024-23339MEDIUM

Prototype pollution not blocked by object-path related utilities in hoolock

Published Jan 23, 2024
CVE-2024-45801HIGH

DOMPurify allows tampering by prototype pollution

Published Sep 16, 2024
CVE-2024-29651HIGH

json-schema-ref-parser Prototype Pollution issue

Published May 20, 2024
CVE-2023-26113HIGH

Collection.js vulnerable to Prototype Pollution

Published Mar 18, 2023
CVE-2021-4278MEDIUM

tree-kit vulnerable to Prototype Pollution

Published Dec 25, 2022
CVE-2025-66035

Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

Published Nov 26, 2025
MAL-2026-368

Malicious code in mw-proto-models (npm)

Published Jan 20, 2026
CVE-2021-32640MEDIUM

ReDoS in Sec-Websocket-Protocol header

Published May 28, 2021
CVE-2019-10794MEDIUM

component-flatten vulnerable to Prototype Pollution

Published May 24, 2022
MAL-2025-3976

Malicious code in @cashcowprotocol/keccak-crypto (npm)

Published May 19, 2025
CVE-2021-23402HIGH

Prototype Pollution in record-like-deep-assign

Published Dec 10, 2021
CVE-2026-32621

Apollo Federation vulnerable to prototype pollution via incomplete key sanitization

Published Mar 13, 2026
MAL-2022-6452

Malicious code in teller-protocol (npm)

Published Jun 20, 2022
CVE-2022-37258CRITICAL

steal vulnerable to Prototype Pollution

Published Sep 17, 2022
CVE-2020-7709MEDIUM

Prototype pollution in json-pointer

Published May 10, 2021
CVE-2021-25912CRITICAL

Prototype pollution in dotty

Published Feb 5, 2021
CVE-2021-23700MEDIUM

Prototype Pollution in merge-deep2.

Published Dec 16, 2021
MAL-2022-5491

Malicious code in proton-super-package (npm)

Published Jun 20, 2022
MAL-2025-3094

Malicious code in com.henryhoffman.unlockprotocol (npm)

Published Apr 3, 2025
GHSA-8qm3-746x-r74r

devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed

Published Feb 19, 2026
CVE-2025-27793

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Published Mar 27, 2025
CVE-2026-28794

`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization

Published Mar 2, 2026
CVE-2022-25871MEDIUM

Prototype Pollution in querymen

Published Jun 18, 2022
CVE-2022-25301HIGH

Prototype Pollution in jsgui-lang-essentials

Published May 3, 2022
CVE-2022-41714MEDIUM

fastest-json-copy vulnerable to Prototype Pollution

Published Nov 4, 2022
CVE-2022-25878HIGH

Prototype Pollution in protobufjs

Published May 28, 2022
CVE-2017-1000048HIGH

Prototype Pollution Protection Bypass in qs

Published Apr 30, 2020
CVE-2020-7736HIGH

Prototype Pollution in bmoor

Published May 10, 2021
CVE-2024-38989CRITICAL

Prototype pollution in izatop bunt

Published Aug 12, 2024
CVE-2026-27212

Prototype pollution in swiper

Published Feb 19, 2026
CVE-2020-7727CRITICAL

Prototype Pollution in gedi

Published May 6, 2021
CVE-2022-21190HIGH

Prototype Pollution in convict

Published May 14, 2022
CVE-2021-23594CRITICAL

Prototype Pollution in realms-shim

Published Jan 12, 2022
MAL-2022-220

Malicious code in @dydxprotocol/solo (npm)

Published Sep 23, 2022
CVE-2020-28278CRITICAL

shvl vulnerable to prototype pollution

Published May 24, 2022
CVE-2022-46164CRITICAL

NodeBB vulnerable to account takeover via prototype vulnerability

Published Dec 5, 2022
CVE-2026-33228

Prototype Pollution via parse() in NodeJS flatted

Published Mar 19, 2026
CVE-2025-57352

min-document vulnerable to prototype pollution

Published Sep 24, 2025
CVE-2020-28480HIGH

Prototype pollution in JointJS

Published Jan 20, 2021
CVE-2021-23370HIGH

Prototype Pollution in swiper

Published May 10, 2021
CVE-2021-4245MEDIUM

npm package rfc6902 vulnerable to Prototype Pollution

Published Dec 15, 2022
CVE-2021-23396MEDIUM

Prototype Pollution in lutils

Published Jun 21, 2021
CVE-2020-7724CRITICAL

Prototype Pollution in tiny-conf

Published May 10, 2021
CVE-2023-45282HIGH

Prototype Pollution in NASA Open MCT

Published Oct 6, 2023
MAL-2025-597

Malicious code in compound-protocol (npm)

Published Jan 28, 2025
MAL-2025-60

Malicious code in eslint-config-proton-lint (npm)

Published Jan 5, 2025
CVE-2020-28472HIGH

Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader

Published Nov 16, 2021
CVE-2022-24279HIGH

Prototype Pollution in madlib-object-utils

Published Apr 16, 2022
MAL-2025-6224

Malicious code in google-protobuf-conformance (npm)

Published Jul 24, 2025
CVE-2022-37266CRITICAL

steal vulnerable to Prototype Pollution via key variable in babel.js

Published Sep 16, 2022
CVE-2022-25296MEDIUM

Prototype Pollution in bodymen

Published Mar 18, 2022
CVE-2024-57080

vxe-table prototype pollution

Published Feb 6, 2025
GHSA-9qr9-h5gf-34mp

Next.js is vulnerable to RCE in React flight protocol

Published Dec 3, 2025
CVE-2020-7618MEDIUM

Prototype Pollution in sds

Published Sep 3, 2020
CVE-2021-23449CRITICAL

Prototype Pollution in vm2

Published Oct 19, 2021
GHSA-rv5g-f82m-qrvv

LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel

Published Apr 8, 2026
CVE-2023-28427HIGH

Prototype pollution in matrix-js-sdk (part 2)

Published Mar 30, 2023
CVE-2023-2972CRITICAL

antfu/utils vulnerable to prototype pollution

Published May 30, 2023
MAL-2025-190641

Malicious code in @asyncapi/protobuf-schema-parser (npm)

Published Nov 24, 2025
CVE-2020-8158CRITICAL

TypeORM vulnerable to MAID and Prototype Pollution

Published May 7, 2021
CVE-2021-23663MEDIUM

Prototype Pollution in sey

Published Dec 16, 2021
CVE-2024-21512HIGH

mysql2 vulnerable to Prototype Pollution

Published May 30, 2024
CVE-2026-34156CRITICAL
Risk: 51.23/100

NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

Published Mar 30, 2026
CVE-2020-7743HIGH

Prototype Pollution in mathjs

Published May 10, 2021
GHSA-q42p-pg8m-cqh6

Prototype Pollution in handlebars

Published Jun 5, 2019
CVE-2022-39251HIGH

matrix-js-sdk subject to user spoofing via Olm/Megolm protocol confusion

Published Sep 30, 2022
CVE-2026-33397

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

Published Mar 19, 2026
CVE-2021-23417MEDIUM

Prototype Pollution in deepmergefn

Published Aug 10, 2021
CVE-2020-28267HIGH

Prototype pollution in @strikeentco/set

Published May 24, 2022
CVE-2025-57349

messageformat has a prototype pollution vulnerability

Published Sep 24, 2025
MAL-2025-9262

Malicious code in @protos-team/frontend-platform (npm)

Published Aug 14, 2025
MAL-2025-9263

Malicious code in @protos-team/frontend-primitives (npm)

Published Aug 14, 2025
MAL-2022-4495

Malicious code in matic-protocol (npm)

Published Jun 20, 2022
MAL-2023-202

Malicious code in com.google.devtools.atsconsole.controller.proto (npm)

Published May 9, 2023
MAL-2022-6149

Malicious code in skfb-viewer-protocol (npm)

Published Jun 20, 2022
MAL-2023-993

Malicious code in yandex-yt-proto (npm)

Published Jan 30, 2023
MAL-2022-641

Malicious code in @tickertape/protos-pbjs (npm)

Published Jul 8, 2022
MAL-2026-1024

Malicious code in @protonme/routing (npm)

Published Feb 24, 2026
MAL-2025-2276

Malicious code in relay-prototyping-tools (npm)

Published Mar 11, 2025
MAL-2023-8073

Malicious code in limitd-protocol (npm)

Published Sep 11, 2023
MAL-2022-5068

Malicious code in omniprotocol (npm)

Published Jun 1, 2022
MAL-2022-5489

Malicious code in protobufjs-databricks (npm)

Published Jun 20, 2022
MAL-2022-5492

Malicious code in protons-benchmark (npm)

Published Jul 29, 2022
CVE-2019-10750CRITICAL

Prototype Pollution in deeply

Published Aug 27, 2019
CVE-2023-30857LOW

Possible prototype pollution in metadata record, when using meta decorator

Published May 1, 2023
MAL-2022-3004

Malicious code in fei-protocol-core (npm)

Published Jun 20, 2022
MAL-2022-535

Malicious code in @proto-services/banking (npm)

Published Jul 21, 2022
CVE-2022-22912CRITICAL

Prototype pollution in Plist before 3.0.5 can cause denial of service

Published Feb 18, 2022
MAL-2024-11068

Malicious code in protobufjs-shopee (npm)

Published Nov 27, 2024
MAL-2024-11069

Malicious code in proton-vpn-browser-extension (npm)

Published Nov 27, 2024
MAL-2024-11079

Malicious code in rlending-protocol (npm)

Published Nov 27, 2024
GHSA-fp4x-ggrf-wmc6

H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

Published Mar 23, 2026
MAL-2024-12137

Malicious code in proton-parking-page (npm)

Published Dec 27, 2024
MAL-2025-192543

Malicious code in mw-proto-ts (npm)

Published Dec 11, 2025
MAL-2025-2528

Malicious code in sui-lending-protocol (npm)

Published Mar 18, 2025
CVE-2021-23807MEDIUM

Prototype Pollution in node-jsonpointer

Published Nov 8, 2021
CVE-2026-26021

set-in Affected by Prototype Pollution

Published Feb 11, 2026
GHSA-2cjr-5v3h-v2w4

Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations

Published Apr 22, 2026
CVE-2020-36632MEDIUM

flat vulnerable to Prototype Pollution

Published Dec 25, 2022
CVE-2021-23460HIGH

Prototype pollution in min-dash

Published Feb 1, 2022
MAL-2022-536

Malicious code in @proto-services/integration (npm)

Published Jul 21, 2022
CVE-2024-39001MEDIUM

ag-grid packages vulnerable to Prototype Pollution

Published Jul 1, 2024
GHSA-5fgg-jcpf-8jjw

i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters

Published Apr 22, 2026
MAL-2025-4965

Malicious code in zora1abs-protoc-helper (npm)

Published Jun 15, 2025
CVE-2024-45277MEDIUM

SAP HANA Node.js client package vulnerable to Prototype Pollution

Published Oct 8, 2024
CVE-2026-2950MEDIUM
Risk: 32.52/100

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Published Apr 1, 2026
CVE-2026-33863

Convict has prototype pollution via load(), loadFile(), and schema initialization

Published Mar 26, 2026
CVE-2025-66456

Elysia vulnerable to prototype pollution with multiple standalone schema validation

Published Dec 9, 2025
GHSA-v9jr-rg53-9pgp

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Published Apr 22, 2026
CVE-2022-1295CRITICAL

Prototype Pollution in fullpage.js

Published Apr 12, 2022
GHSA-g9r4-xpmj-mj65

Prototype Pollution in handlebars

Published Sep 4, 2020
CVE-2026-25150

Prototype Pollution via FormData Processing in Qwik City

Published Feb 3, 2026
CVE-2026-34532CRITICAL
Risk: 45.51/100

parse-server has cloud function validator bypass via prototype chain traversal

Published Mar 31, 2026
CVE-2026-34752HIGH
Risk: 37.51/100

Haraka affected by DoS via `__proto__` email header

Published Apr 1, 2026
CVE-2025-57323

mpregular vulnerable to prototype pollution

Published Sep 24, 2025
MAL-2025-9265

Malicious code in @protos-team/frontend-utils (npm)

Published Aug 14, 2025
MAL-2024-1384

Malicious code in protonme (npm)

Published May 25, 2024
MAL-2025-190965

Malicious code in hover-design-prototype (npm)

Published Nov 24, 2025
MAL-2025-598

Malicious code in compound-protocol-alpha (npm)

Published Jan 28, 2025
Check your entire dependency tree at onceRun dependency scan →