Skip to main content

TanStack DB CVE-2026-15607

LOW
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-07-13 VulDB
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable via query API (AV:N), no special conditions (AC:L), requires low-privilege query access per PR:L in 4.0 vector; scope unchanged (S:U) and impact limited to low integrity per 4.0 VC:N/VI:L/VA:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
Jul 13, 2026 - 23:31 vuln.today
Analysis Generated
Jul 13, 2026 - 23:31 vuln.today
Severity Changed
Jul 13, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jul 13, 2026 - 23:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Severity Changed
Jul 13, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jul 13, 2026 - 23:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVE Published
Jul 13, 2026 - 23:00 cve.org
LOW 2.1

DescriptionCVE.org

A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded. A patch should be applied to remediate this issue.

AnalysisAI

Prototype pollution in TanStack DB's select() query compiler allows low-privileged remote attackers to mutate Object.prototype by supplying dot-notation alias paths containing reserved JavaScript property names such as __proto__, prototype, or constructor. Versions up to 0.6.8 are confirmed affected via CPE cpe:2.3:a:tanstack:db. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege query API access
Delivery
Craft select() call with __proto__ or constructor alias
Exploit
Submit query to TanStack DB select compiler
Install
Compiler splits alias on '.' without sanitization
C2
Traverse segments onto Object.prototype
Execute
Mutate global prototype chain
Impact
Affect downstream application logic

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have low-privileged access to submit TanStack DB select() queries with attacker-controlled alias path strings - confirmed by PR:L in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.1 with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N indicates low real-world severity in isolation: the attack is network-reachable with no attack complexity or prerequisites beyond low-privilege access, but impact is narrowly scoped to low integrity on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with access to a TanStack DB query interface submits a select() query with a crafted alias key such as {'__proto__.polluted': someField}, which is split on '.' and walked unsanitized into the result accumulator, writing a property directly onto Object.prototype. A publicly available proof-of-concept exists via GitHub issue #1584 demonstrating both __proto__ and constructor.prototype variants.
Remediation Apply the patch from GitHub commit ac09b1177a100eafa85cba3cd09dd1f53f933ded (PR #1595 at https://github.com/TanStack/db/pull/1595) by upgrading @tanstack/db to the next patch release beyond 0.6.8; the changeset tags this fix as a patch-level release, but the exact tagged version is not confirmed in the available data - verify the current release tag in the npm registry or GitHub releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-15607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy