What is the CVSS score of CVE-2026-26021?

CVE-2026-26021 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-26021?

A critical prototype pollution vulnerability in Set-In (CVSS 9.8) allows unauthenticated attackers to modify core application objects, potentially leading to unauthorized access, data manipulation,…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26021?

Yes, a public proof-of-concept exploit is available for CVE-2026-26021. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-26021?

Within 24 hours: Inventory all systems running Set-In and assess exposure; disable Set-In in non-production environments if patching will take longer. Within 7 days: Apply the available vendor patch to all production systems following change management procedures; validate patch deployment. Within 30 days: Conduct post-patch verification, review application logs for exploitation attempts, and update asset management records.

Node.js CVE-2026-26021

CRITICAL

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-02-11 security-advisories@github.com

GHSA-2c4m-g7rx-63q7

Node.js Set In

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

PoC Detected

Feb 13, 2026 - 21:43 vuln.today

Public exploit code

Patch released

Feb 13, 2026 - 21:43 nvd

Patch available

CVE Published

Feb 11, 2026 - 22:15 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.

AnalysisAI

Prototype pollution in set-in npm package allows modification of Object prototype. PoC and patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious nested key array with Array.prototype reference

Delivery

Pass array to set-in function

Exploit

Bypass prototype pollution check

Execution

Pollute Object.prototype properties

Impact

Achieve remote code execution

Access

Craft malicious nested key array with Array.prototype reference

Delivery

Pass array to set-in function

Exploit

Bypass prototype pollution check

Execution

Pollute Object.prototype properties

Impact

Achieve remote code execution

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against set-in versions >=2.0.1 and <2.0.5 when accepting untrusted nested key array inputs. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker provides input with __proto__ key, polluting Object prototype affecting all objects in the application.
Remediation	Update set-in. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Set-In and assess exposure; disable Set-In in non-production environments if patching will take longer. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

CVE-2026-26021 vulnerability details – vuln.today

Back

Node.js CVE-2026-26021

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code