CVE-2026-6594

HIGH

brikcss merge prototype pollution

Title source: cna

Description

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/358229

[Signature, Permissions Required] https://vuldb.com/vuln/358229/cti

[Third Party Advisory] https://vuldb.com/submit/791805

[Exploit] https://github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-1321 CWE-94

Status published

Products (4)

brikcss/merge 1.0

brikcss/merge 1.1

brikcss/merge 1.2

brikcss/merge 1.3.0

Published Apr 20, 2026

Tracked Since Apr 20, 2026