CVE-2026-2964

MEDIUM

higuma web-audio-recorder-js 0.1/0.1.1 - Prototype Pollution

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2964. PoCs published by thegenetic.

AI-analyzed exploit summary This repository contains a functional lab environment demonstrating CVE-2026-2964, a prototype pollution vulnerability in the `web-audio-recorder-js` library that can lead to remote code execution. It includes both vulnerable and fixed server implementations, along with setup scripts to replicate the attack chain.

Description

A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC

by thegenetic · poc

https://github.com/thegenetic/CVE-2026-2964-Lab

View Code ZIP pw:eip

This repository contains a functional lab environment demonstrating CVE-2026-2964, a prototype pollution vulnerability in the `web-audio-recorder-js` library that can lead to remote code execution. It includes both vulnerable and fixed server implementations, along with setup scripts to replicate the attack chain.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: web-audio-recorder-js library

No auth needed

Prerequisites: Node.js (version 18 or later) · npm · curl

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 20, 2026 Full analysis →

References (3)

Core 3

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.347331

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.347331

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.755221

Scores

CVSS v3 5.0

EPSS 0.0037

EPSS Percentile 28.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1321 CWE-94

Status published

Products (2)

higuma/webaudiorecorder.js 0.1

higuma/webaudiorecorder.js 0.1.1

Published Feb 23, 2026

Tracked Since Feb 23, 2026