CVE-2026-6621

HIGH

1024bit extend-deep index.js prototype pollution

Title source: cna

Description

A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years.

References (4)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/358256

[Signature, Permissions Required] https://vuldb.com/vuln/358256/cti

[Third Party Advisory] https://vuldb.com/submit/792387

[Exploit] https://github.com/sudo-secure/security-research/blob/main/extend-deep/prototype-pollution/PoC.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-1321 CWE-94

Status published

Products (7)

1024bit/extend-deep 0.1.0

1024bit/extend-deep 0.1.1

1024bit/extend-deep 0.1.2

1024bit/extend-deep 0.1.3

1024bit/extend-deep 0.1.4

1024bit/extend-deep 0.1.5

1024bit/extend-deep 0.1.6

Published Apr 20, 2026

Tracked Since Apr 20, 2026