CVE-2026-6594

HIGH

brikcss merge prototype pollution

Title source: cna

Description

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-358229 | brikcss merge prototype pollution

https://vuldb.com/vuln/358229

Signature, Permissions Required signature permissions-required

VDB-358229 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/358229/cti

Third Party Advisory third-party-advisory

Submit #791805 | brikcss @brikcss/merge 1.3.0 Prototype Pollution

https://vuldb.com/submit/791805

Exploit exploit

https://github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0034

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321 CWE-94

Status published

Products (5)

brikcss/merge 0npm

brikcss/merge 1.0

brikcss/merge 1.1

brikcss/merge 1.2

brikcss/merge 1.3.0

Published Apr 20, 2026

Tracked Since Apr 20, 2026