CVE-2026-6621

HIGH

1024bit extend-deep index.js prototype pollution

Title source: cna

Description

A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-358256 | 1024bit extend-deep index.js prototype pollution

https://vuldb.com/vuln/358256

Signature, Permissions Required signature permissions-required

VDB-358256 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/358256/cti

Third Party Advisory third-party-advisory

Submit #792387 | 1024bit extend-deep 0.1.6 Prototype Pollution

https://vuldb.com/submit/792387

Exploit exploit

https://github.com/sudo-secure/security-research/blob/main/extend-deep/prototype-pollution/PoC.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0034

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321 CWE-94

Status published

Products (7)

1024bit/extend-deep 0.1.0

1024bit/extend-deep 0.1.1

1024bit/extend-deep 0.1.2

1024bit/extend-deep 0.1.3

1024bit/extend-deep 0.1.4

1024bit/extend-deep 0.1.5

1024bit/extend-deep 0.1.6

Published Apr 20, 2026

Tracked Since Apr 20, 2026