Skip to main content

Prototype Pollution CVE-2026-6594

| EUVDEUVD-2026-23742 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-04-20 VulDB GHSA-3jc6-6r48-v6qf
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 22, 2026 - 20:22 vuln.today
Public exploit code
Severity Changed
Apr 20, 2026 - 02:22 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 02:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 02:04 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 02:00 euvd
EUVD-2026-23742
Analysis Generated
Apr 20, 2026 - 02:00 vuln.today
CVE Published
Apr 20, 2026 - 01:45 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Prototype pollution in brikcss merge library versions 1.0 through 1.3.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript Object prototypes via crafted __proto__, constructor.prototype, or prototype arguments, potentially leading to information disclosure, authentication bypass, or denial of service. Publicly available exploit code exists (GitHub PoC from sudo-secure). CVSS 7.3 with network vector and no authentication required. Vendor unresponsive to disclosure attempts.

Technical ContextAI

Brikcss merge is a JavaScript utility library for merging objects and arrays. The vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as prototype pollution. This occurs when user-controlled input can modify Object.prototype or constructor.prototype without proper sanitization. In JavaScript, all objects inherit from Object.prototype, so polluting this base prototype affects all objects in the application runtime. Attackers can inject properties like __proto__, constructor.prototype, or prototype with malicious values during merge operations. The affected product is identified via CPE as cpe:2.3:a:brikcss:merge covering all versions through 1.3.0. Prototype pollution is a critical vulnerability class in JavaScript ecosystems because it can bypass security controls, enable privilege escalation, cause denial of service through property injection, or leak sensitive information depending on how the polluted properties are used downstream in application logic.

RemediationAI

No vendor-released patch exists for brikcss merge as of this analysis - the maintainer did not respond to disclosure. Primary mitigation: REMOVE brikcss merge from dependencies and replace with actively maintained alternatives such as lodash.merge (with prototype pollution protections enabled), deepmerge (version 4.3.1+), or @fastify/deepmerge. For applications unable to immediately migrate, implement compensating controls: (1) Input validation - sanitize all user-controlled data before passing to merge operations by explicitly blocking keys matching __proto__, constructor, and prototype using allowlist validation; (2) Object.freeze(Object.prototype) at application startup to prevent prototype modification (note: this may break legitimate code relying on prototype extension); (3) Use Object.create(null) for objects passed to merge functions to avoid prototype chain inheritance; (4) Deploy runtime application self-protection (RASP) or web application firewall (WAF) rules to detect and block payloads containing prototype pollution patterns in JSON/form data. Trade-offs: Object.freeze may cause compatibility issues with older libraries; input sanitization adds processing overhead and must cover all entry points. Refer to the public PoC at github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md to understand attack patterns for detection rule development.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-6594 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy