Total
485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57324 | 1 Parseplatform | 1 Parse Javascript Sdk | 2025-10-16 | N/A | 6.5 MEDIUM |
| parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57320 | 1 Open-federation | 1 Json-schema-editor-visual | 2025-10-16 | N/A | 6.5 MEDIUM |
| json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2025-57318 | 1 Pradeep-mishra | 1 Csvjson | 2025-10-16 | N/A | 7.5 HIGH |
| A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | |||||
| CVE-2023-0163 | 1 Mozilla | 1 Convict | 2025-10-15 | N/A | 8.4 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still, a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files. This issue affects Convict: before 6.2.4. | |||||
| CVE-2025-54803 | 1 Sunnyadn | 1 Js-toml | 2025-10-09 | N/A | 7.5 HIGH |
| js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. In versions below 1.0.2, a prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML input. This is fixed in version 1.0.2. | |||||
| CVE-2025-3193 | 1 Algolia | 1 Algoliasearch-helper | 2025-10-05 | N/A | 7.5 HIGH |
| Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users. | |||||
| CVE-2025-25015 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 9.9 CRITICAL |
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | |||||
| CVE-2025-25014 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 9.1 CRITICAL |
| A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. | |||||
| CVE-2024-12556 | 1 Elastic | 1 Kibana | 2025-10-02 | N/A | 8.7 HIGH |
| Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | |||||
| CVE-2023-0842 | 1 Xml2js Project | 1 Xml2js | 2025-09-24 | N/A | 5.3 MEDIUM |
| xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. | |||||
| CVE-2011-10019 | 1 Spreecommerce | 1 Spree | 2025-09-24 | N/A | 9.8 CRITICAL |
| Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication. | |||||
| CVE-2024-45801 | 1 Cure53 | 1 Dompurify | 2025-09-22 | N/A | 7.3 HIGH |
| DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-58280 | 1 Huawei | 1 Harmonyos | 2025-09-11 | N/A | 8.4 HIGH |
| Vulnerability of exposing object heap addresses in the Ark eTS module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2021-20087 | 1 Acemetrix | 1 Jquery-deparam | 2025-08-14 | 6.5 MEDIUM | 8.8 HIGH |
| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype. | |||||
| CVE-2025-26621 | 1 Citeum | 1 Opencti | 2025-08-06 | N/A | 7.6 HIGH |
| OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype pollution, making the node js server running the OpenCTI frontend become unavailable. Version 6.5.2 fixes the issue. | |||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2025-07-22 | N/A | 8.1 HIGH |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | |||||
| CVE-2024-39853 | 1 Swiperjs | 1 Swiper | 2025-07-10 | N/A | 6.5 MEDIUM |
| adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39003 | 1 Amoyjs | 1 Common | 2025-07-07 | N/A | 7.3 HIGH |
| amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39000 | 1 Swiperjs | 1 Swiper | 2025-07-07 | N/A | 6.5 MEDIUM |
| adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38997 | 1 Swiperjs | 1 Swiper | 2025-07-07 | N/A | 6.5 MEDIUM |
| adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||