Total
430 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-37265 | 1 Stealjs | 1 Steal | 2025-05-28 | 9.8 Critical |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | ||||
| CVE-2025-48054 | 2025-05-28 | N/A | ||
| Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. | ||||
| CVE-2020-36604 | 1 Hapijs | 1 Hoek | 2025-05-27 | 8.1 High |
| hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | ||||
| CVE-2022-21169 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2025-05-21 | 7.3 High |
| The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | ||||
| CVE-2022-37614 | 1 Mockery Project | 1 Mockery | 2025-05-15 | 9.8 Critical |
| Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js. | ||||
| CVE-2022-37611 | 1 Gh-pages Project | 1 Gh-pages | 2025-05-15 | 9.8 Critical |
| Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js. | ||||
| CVE-2022-37602 | 1 Grunt-karma Project | 1 Grunt-karma | 2025-05-15 | 9.8 Critical |
| Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js. | ||||
| CVE-2025-3982 | 1 Nortikin | 1 Sverchok | 2025-05-12 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in nortikin Sverchok 1.3.0. Affected is the function SvSetPropNodeMK2 of the file sverchok/nodes/object_nodes/getsetprop_mk2.py of the component Set Property Mk2 Node. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-37621 | 1 Browserify-shim Project | 1 Browserify-shim | 2025-05-07 | 9.8 Critical |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js. | ||||
| CVE-2022-37623 | 1 Browserify-shim Project | 1 Browserify-shim | 2025-05-06 | 9.8 Critical |
| Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js. | ||||
| CVE-2024-39001 | 1 Ag-grid | 3 Ag-grid, Ag-grid-enterprise, Ag Charts | 2025-05-01 | 6.3 Medium |
| ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2022-21824 | 5 Debian, Netapp, Nodejs and 2 more | 16 Debian Linux, Oncommand Insight, Oncommand Workflow Automation and 13 more | 2025-04-30 | 8.2 High |
| Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. | ||||
| CVE-2021-25943 | 1 101 Project | 1 101 | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25941 | 1 Deep-override Project | 1 Deep-override | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25928 | 1 Manta | 1 Safe-obj | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25927 | 1 Safe-flat Project | 1 Safe-flat | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25916 | 1 Patchmerge Project | 1 Patchmerge | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25915 | 1 Changeset Project | 1 Changeset | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2021-25914 | 1 Fireblink | 1 Object-collider | 2025-04-30 | 9.8 Critical |
| Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution. | ||||
| CVE-2024-38985 | 1 Janrywang | 1 Depath | 2025-04-30 | 9.8 Critical |
| janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||