CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321
CVE-2026-48714 CRITICAL
i18next-http-middleware < 3.9.7 - Prototype Pollution via missingKeyHandler
CVSS 9.1
CVE-2026-48713 CRITICAL
i18next-fs-backend: Prototype pollution via crafted missing-key string
CVSS 9.1
CVE-2026-12209 MEDIUM
RubyLouvre avalon Template Filter index.js prototype pollution
CVSS 5.3
CVE-2026-12208 MEDIUM
jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution
CVSS 5.3
CVE-2026-53609 CRITICAL
Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass
CVSS 9.1
CVE-2026-44495 HIGH
Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
CVSS 7.0
CVE-2026-44494 HIGH
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
CVSS 8.7
CVE-2026-44490 MEDIUM
Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
CVSS 4.8
CVE-2026-44489 LOW
Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
CVSS 3.7
CVE-2026-46625 HIGH
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
CVSS 7.5
CVE-2026-45302 HIGH
parse-nested-form-data < 1.0.1 - Prototype Pollution via FormData Field Name Traversal
CVSS 8.2
CVE-2026-46510 HIGH
Prototype pollution in form-data-objectizer via bracket-notation form keys
CVSS 8.2
CVE-2026-46509 HIGH
deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS 8.2
CVE-2026-44483 HIGH
RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP form data)
CVSS 8.2
CVE-2026-44966 HIGH
Velocity.js: Prototype Pollution in #set path assignment
CVSS 8.3
CVE-2026-9101 MEDIUM
MongoDB Compass - Prototype Pollution via CSV Import Leading to Command Execution
CVSS 4.3
CVE-2026-8657 HIGH
Jsondiffpatch < 0.7.6 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS 8.2
CVE-2026-44005 CRITICAL
vm2: Sandbox escape
CVSS 10.0
CVE-2026-44292 MEDIUM
protobufjs: Prototype injection in generated message constructors
CVSS 5.3
CVE-2026-44290 HIGH
protobufjs: Process-wide denial of service through unsafe option paths
CVSS 7.5
CVE-2026-8161 HIGH
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
CVSS 7.5
CVE-2026-41690 HIGH
Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
CVSS 8.6
CVE-2026-42264 HIGH
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
CVSS 7.4
CVE-2026-42232 HIGH
n8n: XML Node Prototype Pollution to RCE
CVSS 8.8
CVE-2026-42231 HIGH
n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE
CVSS 8.8
Details
Vulnerabilities 501
Links
MITRE CWE Entry Search this CWE With Exploits