CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

473 vulnerabilities with CWE-1321
CVE-2026-42044 MEDIUM
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
CVSS 6.5
CVE-2026-42041 MEDIUM
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
CVSS 4.8
CVE-2026-42035 HIGH
Axios: Header Injection via Prototype Pollution
CVSS 7.4
CVE-2026-42033 HIGH
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
CVSS 7.4
CVE-2026-41238 MEDIUM
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
CVSS 6.9
CVE-2026-6621 HIGH
1024bit extend-deep index.js prototype pollution
CVSS 7.3
CVE-2026-6594 HIGH
brikcss merge prototype pollution
CVSS 7.3
CVE-2026-34626 MEDIUM
Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
CVSS 6.3
CVE-2026-34622 HIGH
Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
CVSS 8.6
CVE-2026-34621 HIGH KEV
Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
CVSS 8.6
CVE-2026-40190 MEDIUM
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
CVSS 5.6
CVE-2026-35209 HIGH
defu: Prototype pollution via `__proto__` key in defaults argument
CVSS 7.5
CVE-2026-2950 MEDIUM
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
CVSS 6.5
CVE-2026-34221 CRITICAL
MikroORM has Prototype Pollution in Utils.merge
CVSS 9.1
CVE-2026-33994 CRITICAL
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
CVSS 9.8
CVE-2026-33993 CRITICAL
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
CVSS 9.8
CVE-2026-33916 MEDIUM
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
CVSS 4.7
CVE-2026-33672 MEDIUM
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
CVSS 5.3
CVE-2026-33696 HIGH
n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE
CVSS 8.8
CVE-2026-33228 CRITICAL
flatted: Prototype Pollution via parse()
CVSS 9.8
CVE-2026-32701 HIGH
Qwik has array method pollution in FormData processing, allowing type confusion and DoS
CVSS 7.5
CVE-2026-32886 HIGH
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
CVSS 7.5
CVE-2026-32878 HIGH
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
CVSS 7.5
CVE-2026-31865 MEDIUM
Elysia Cookie Value Prototype Pollution
CVSS 6.5
CVE-2026-27524 MEDIUM
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path
CVSS 4.3
Details
Vulnerabilities 473
Links
MITRE CWE Entry Search this CWE With Exploits