Skip to main content

Prototype Pollution CVE-2026-34221

| EUVDEUVD-2026-17488 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-03-29 https://github.com/mikro-orm/mikro-orm GHSA-qpfv-44f3-qqx6
8.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 29, 2026 - 16:00 euvd
EUVD-2026-17488
Analysis Generated
Mar 29, 2026 - 16:00 vuln.today
CVE Published
Mar 29, 2026 - 15:44 nvd
HIGH 8.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @mikro-orm/core (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.0.0-dev.0.

DescriptionGitHub Advisory

A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures.

The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged.

Exploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction.

Prototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.

AnalysisAI

Prototype pollution in MikroORM's Utils.merge function allows attackers to modify JavaScript object prototypes when applications pass untrusted user input into ORM operations. Affects @mikro-orm/core npm package, enabling denial of service and potentially SQL injection when polluted properties influence query construction. No public exploit identified at time of analysis, though GitHub security advisory published by the project maintainers confirms the vulnerability class (CWE-1321).

Technical ContextAI

MikroORM is a TypeScript ORM for Node.js supporting multiple SQL databases. The vulnerability resides in the internal Utils.merge helper function, which performs deep object merging for entity property assignment and query condition construction. The function lacks proper filtering of dangerous JavaScript special keys (__proto__, constructor, prototype), implementing the classic prototype pollution pattern (CWE-1321). When untrusted input flows through ORM operations like entity updates or query builders, attackers can inject these special keys to modify the base Object prototype chain. The affected package is pkg:npm/@mikro-orm_core, indicating the core ORM package distributed via npm. Prototype pollution in JavaScript allows modification of properties inherited by all objects in the runtime, creating a cross-cutting attack surface that transcends normal application boundaries.

RemediationAI

Consult the official GitHub security advisory at https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6 for vendor-confirmed patch versions and upgrade guidance. Upstream fix available through the project's GitHub repository, though released patched version number not independently confirmed from provided data. Primary remediation requires upgrading @mikro-orm/core to the patched release specified in the advisory. As an immediate workaround, implement input validation and sanitization before passing user-controlled data to ORM operations, specifically filtering or rejecting objects containing __proto__, constructor, or prototype keys. Use Object.create(null) for user-input objects to prevent prototype chain inheritance, or employ libraries like lodash's merge with prototype pollution protections. Review application code for patterns that dynamically assign user input to entity properties or query conditions without schema validation. The GitHub advisory at https://github.com/advisories/GHSA-qpfv-44f3-qqx6 may contain additional mitigation guidance.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-34221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy