What is the CVSS score of CVE-2026-40190?

CVE-2026-40190 has a CVSS 3.1 base score of 5.6 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-40190?

Yes, a patch is available for CVE-2026-40190. Update the affected software to the latest version immediately.

Node.js CVE-2026-40190

EUVD-2026-21594 MEDIUM

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-04-10 GitHub_M

GHSA-fw9q-39r9-c252

Information Disclosure Node.js Prototype Pollution

5.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 20:15 euvd

EUVD-2026-21594

Analysis Generated

Apr 10, 2026 - 20:15 vuln.today

CVE Published

Apr 10, 2026 - 19:47 nvd

MEDIUM 5.6

DescriptionNVD

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.

AnalysisAI

Prototype pollution in LangSmith JavaScript/TypeScript SDK (langsmith) versions prior to 0.5.18 allows remote attackers to pollute Object.prototype via the createAnonymizer() API by supplying malicious constructor.prototype keys, bypassing an incomplete __proto__ filter. The vulnerability affects all objects in the Node.js process and can lead to information disclosure and integrity violations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-40190 vulnerability details – vuln.today

Back