Total
384 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38996 | 1 Ag-grid | 1 Ag-grid | 2025-04-28 | N/A | 9.8 CRITICAL |
| ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-24292 | 1 Aliconnect | 1 Software Development Kit | 2025-04-17 | N/A | 9.8 CRITICAL |
| A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component. | |||||
| CVE-2024-57083 | 1 Redocly | 1 Redoc | 2025-04-14 | N/A | 7.5 HIGH |
| A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-38988 | 1 Alizeait | 1 Unflatto | 2025-04-14 | N/A | 9.8 CRITICAL |
| alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2025-32014 | 2025-04-08 | N/A | N/A | ||
| estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3. | |||||
| CVE-2025-3197 | 2025-04-07 | N/A | 7.3 HIGH | ||
| Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__. | |||||
| CVE-2025-25977 | 1 Canvg | 1 Canvg | 2025-03-25 | N/A | 9.8 CRITICAL |
| An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement. | |||||
| CVE-2024-57077 | 2025-03-24 | N/A | 9.1 CRITICAL | ||
| The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. | |||||
| CVE-2024-2495 | 1 Friendlyelec | 1 Friendlywrt | 2025-03-24 | N/A | 5.2 MEDIUM |
| Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data. | |||||
| CVE-2023-23917 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-12 | N/A | 8.8 HIGH |
| A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well. | |||||
| CVE-2023-26102 | 1 Rangy Project | 1 Rangy | 2025-03-11 | N/A | 7.5 HIGH |
| All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype | |||||
| CVE-2023-26105 | 1 Utilities Project | 1 Utilities | 2025-03-11 | N/A | 7.5 HIGH |
| All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function. | |||||
| CVE-2024-57064 | 2025-03-10 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized. | |||||
| CVE-2025-27597 | 2025-03-07 | N/A | N/A | ||
| Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. | |||||
| CVE-2023-26106 | 1 Dot-lens Project | 1 Dot-lens | 2025-03-05 | N/A | 7.5 HIGH |
| All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file. | |||||
| CVE-2020-7709 | 1 Manuelstofer | 1 Json-pointer | 2025-03-05 | 6.5 MEDIUM | 6.0 MEDIUM |
| This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported. | |||||
| CVE-2023-26121 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-10 | N/A | 7.5 HIGH |
| All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. | |||||
| CVE-2023-26122 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-07 | N/A | 8.8 HIGH |
| All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). | |||||
| CVE-2024-57084 | 2025-02-07 | N/A | 7.5 HIGH | ||
| A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57086 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||