What is the CVSS score of CVE-2026-46509?

CVE-2026-46509 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L.

Which versions of @ranfdev/deepobj are affected by CVE-2026-46509?

The @ranfdev/deepobj npm package versions 1.0.2 and earlier contain a prototype pollution vulnerability that allows unauthenticated attackers to maliciously modify JavaScript object prototypes…. A patch is available.

How to fix or mitigate CVE-2026-46509?

Within 24 hours: Identify all applications and projects using @ranfdev/deepobj ≤1.0.2 via dependency scanning (npm audit, SBOM review). Within 7 days: Upgrade all instances to version 1.0.3 or later and validate in staging environments. Within 30 days: Confirm production deployments are patched, review application logs for suspicious prototype-related activity patterns, and implement input validation controls on any remaining user-supplied object property paths as defense-in-depth.

@ranfdev/deepobj CVE-2026-46509

EUVD-2026-32976 HIGH

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-05-14 https://github.com/ranfdev/deepobj

GHSA-x7q7-fchv-8h2j

Information Disclosure Prototype Pollution

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

May 14, 2026 - 22:06 vuln.today

Analysis Generated

May 14, 2026 - 22:06 vuln.today

CVE Published

May 14, 2026 - 20:55 nvd

HIGH 8.2

DescriptionNVD

Impact

Prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input.

AnalysisAI

Prototype pollution in @ranfdev/deepobj npm package (versions ≤1.0.2) allows remote unauthenticated attackers to modify JavaScript object prototypes when property paths containing '__proto__', 'constructor', or 'prototype' are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation against network-accessible applications, though real-world impact depends critically on whether user-controlled input is passed to property path parameters. …

RemediationAI

Within 24 hours: Identify all applications and projects using @ranfdev/deepobj ≤1.0.2 via dependency scanning (npm audit, SBOM review). Within 7 days: Upgrade all instances to version 1.0.3 or later and validate in staging environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-46509 vulnerability details – vuln.today

Back

@ranfdev/deepobj CVE-2026-46509

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code