Skip to main content

json-schema-library CVE-2026-16008

| EUVDEUVD-2026-45161 LOW
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-07-17 VulDB GHSA-gf3x-ww5j-mxxm
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Low-privilege network vector; scope change applies because prototype pollution corrupts the shared JavaScript runtime, affecting components beyond the library's own security domain.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 17, 2026 - 11:22 NVD
MEDIUM LOW
CVSS changed
Jul 17, 2026 - 11:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
Jul 17, 2026 - 11:16 vuln.today
Analysis Generated
Jul 17, 2026 - 11:16 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in sagold json-schema-library 11.5.0/11.5.1. This impacts the function parsePropertyDependencies of the file src/keywords/propertyDependencies.ts. The manipulation leads to improperly controlled modification of object prototype attributes. The attack can be initiated remotely. Upgrading to version 11.6.0 will fix this issue. The identifier of the patch is 432287ee6f68a02ce6f015354618486ec427a32d. It is advisable to upgrade the affected component.

AnalysisAI

Prototype pollution in sagold json-schema-library 11.5.0 and 11.5.1 allows remote low-privileged attackers to corrupt the JavaScript Object prototype by supplying crafted schema definitions or input data containing reserved keys such as __proto__ processed by the parsePropertyDependencies function. The CVSS 4.0 vector confirms low-privilege network exploitation with limited but real confidentiality, integrity, and availability impact; the E:P supplemental metric confirms proof-of-concept code exists. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege application credentials
Delivery
Submit crafted schema or data with `__proto__` dependency key
Exploit
`parsePropertyDependencies` assigns key to plain `{}` dictionary
Execution
`Object.prototype` polluted across JavaScript runtime
Persist
Leverage corrupted prototype via application gadget chain
Impact
Achieve privilege escalation or logic bypass

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to expose the json-schema-library validation or compilation pipeline to attacker-controlled input - either attacker-supplied schema definitions or attacker-supplied data containing prototype-polluting keys such as `__proto__`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 with vector AV:N/AC:L/AT:N/PR:L/UI:N reflects network-reachable, low-complexity exploitation requiring low-privilege access - not unauthenticated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker authenticated with low-privilege application credentials submits a crafted JSON schema containing `__proto__` as a `propertyDependencies` key alongside a matching data payload. The `parsePropertyDependencies` function processes the key without sanitization, assigning attacker-controlled values onto `Object.prototype` and corrupting shared JavaScript runtime state. …
Remediation Upgrade sagold json-schema-library to version 11.6.0, available at https://github.com/sagold/json-schema-library/releases/tag/v11.6.0, which resolves the vulnerability via commit 432287ee6f68a02ce6f015354618486ec427a32d. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-16008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy