Total
379 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3982 | 1 Nortikin | 1 Sverchok | 2025-05-12 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in nortikin Sverchok 1.3.0. Affected is the function SvSetPropNodeMK2 of the file sverchok/nodes/object_nodes/getsetprop_mk2.py of the component Set Property Mk2 Node. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-37621 | 1 Browserify-shim Project | 1 Browserify-shim | 2025-05-07 | 9.8 Critical |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js. | ||||
| CVE-2025-25014 | 2025-05-07 | 9.1 Critical | ||
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | ||||
| CVE-2022-37623 | 1 Browserify-shim Project | 1 Browserify-shim | 2025-05-06 | 9.8 Critical |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js. | ||||
| CVE-2022-42743 | 1 Deep-parse-json Project | 1 Deep-parse-json | 2025-05-05 | 5.3 Medium |
| deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. | ||||
| CVE-2022-41714 | 1 Fastest-json-copy Project | 1 Fastest-json-copy | 2025-05-05 | 5.3 Medium |
| fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited. | ||||
| CVE-2022-41713 | 1 Deep-object-diff Project | 1 Deep-object-diff | 2025-05-05 | 5.3 Medium |
| deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited. | ||||
| CVE-2024-39001 | 1 Ag-grid | 3 Ag-grid, Ag-grid-enterprise, Ag Charts | 2025-05-01 | 6.3 Medium |
| ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2023-26136 | 2 Redhat, Salesforce | 8 Acm, Jboss Enterprise Application Platform, Logging and 5 more | 2025-05-01 | 6.5 Medium |
| Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. | ||||
| CVE-2022-21824 | 5 Debian, Netapp, Nodejs and 2 more | 16 Debian Linux, Oncommand Insight, Oncommand Workflow Automation and 13 more | 2025-04-30 | 8.2 High |
| Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. | ||||
| CVE-2021-25943 | 1 101 Project | 1 101 | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25941 | 1 Deep-override Project | 1 Deep-override | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25928 | 1 Manta | 1 Safe-obj | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25927 | 1 Safe-flat Project | 1 Safe-flat | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25916 | 1 Patchmerge Project | 1 Patchmerge | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25915 | 1 Changeset Project | 1 Changeset | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25914 | 1 Fireblink | 1 Object-collider | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2024-38985 | 1 Janrywang | 1 Depath | 2025-04-30 | 9.8 Critical |
| janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2022-24999 | 4 Debian, Openjsf, Qs Project and 1 more | 12 Debian Linux, Express, Qs and 9 more | 2025-04-29 | 7.5 High |
| qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). | ||||
| CVE-2024-38996 | 1 Ag-grid | 3 Ag-grid, Ag-grid-community, Ag-grid-enterprise | 2025-04-28 | 9.8 Critical |
| ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||