Which versions of Prototype Pollution are affected by CVE-2026-6594?

The brikcss merge library (versions 1.0-1.3.0) contains a prototype pollution vulnerability that allows unauthenticated remote attackers to inject malicious properties into application objects,…

Is there a public PoC exploit available for CVE-2026-6594?

Yes, a public proof-of-concept exploit is available for CVE-2026-6594. Prioritise patching immediately. EPSS: 0.0%.

Prototype Pollution CVE-2026-6594

Q: What is the CVSS score of CVE-2026-6594?

CVE-2026-6594 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23742 MEDIUM

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-04-20 VulDB

GHSA-3jc6-6r48-v6qf

Information Disclosure Prototype Pollution

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 22, 2026 - 20:22 vuln.today

Public exploit code

Severity Changed

Apr 20, 2026 - 02:22 NVD

HIGH MEDIUM

CVSS changed

Apr 20, 2026 - 02:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 02:04 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 02:00 euvd

EUVD-2026-23742

Analysis Generated

Apr 20, 2026 - 02:00 vuln.today

CVE Published

Apr 20, 2026 - 01:45 nvd

MEDIUM 6.9

DescriptionNVD

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Prototype pollution in brikcss merge library versions 1.0 through 1.3.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript Object prototypes via crafted __proto__, constructor.prototype, or prototype arguments, potentially leading to information disclosure, authentication bypass, or denial of service. Publicly available exploit code exists (GitHub PoC from sudo-secure). …

RemediationAI

Within 24 hours: Inventory all applications and dependencies using brikcss merge library versions 1.0-1.3.0; identify business-critical systems relying on this library. Within 7 days: Evaluate replacement with actively maintained alternatives (e.g., lodash.merge, deepmerge with security reviews) or implement input validation layer; conduct code review for __proto__, constructor.prototype, or prototype argument usage. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6594 vulnerability details – vuln.today

Back

Prototype Pollution CVE-2026-6594

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Prototype Pollution CVE-2026-6594

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code